On 20 Jan 2004 at 13:45, Greg A. Woods wrote about
"Re: [Exim] needed: beagle/bagle pat":
|...
| If I'm not mistaken the very same regular expression that detects mail
| bodies with sobig and many other viruses and worms will also detect this
| new worm:
|
| "^TV[nopqr][A-Z]...[AB]..A.A....*AAAA...*AAAA"
Your post prompted me to try this in a redirect router, since it
sounded trivial (no need for the exiscan patch). I must be missing
something obvious, since I can't get it to work. I added this router
definition above the normal alias and local delivery routers:
check_exe:
driver = redirect
no_verify
data = ${if match { $message_body } \
{ "TV[nopqr][A-Z]...[AB]..A.A....*AAAA...*AAAA" } \
{exe} fail }
I left off the ^ since in $message_body newlines have been converted
to spaces. message_body_visible is set to 2000, which is more than
enough to include the first few lines of the attachment in the test
message I tried. pcretest says the pattern matches the text
cut&pasted from the message (with newlines converted to spaces).
But the router doesn't handle the message. I feel stupid, what am I
missing?
- Fred