Re: [Exim] needed: beagle/bagle pattern

Top Page
Delete this message
Reply to this message
Author: Exim User's Mailing List
Date:  
To: fv, Exim User's Mailing List
Subject: Re: [Exim] needed: beagle/bagle pattern
[ On Tuesday, January 20, 2004 at 20:24:18 (-0500), Wakko Warner wrote: ]
> Subject: Re: [Exim] needed: beagle/bagle pattern
>
> > |...
> > | If I'm not mistaken the very same regular expression that detects mail
> > | bodies with sobig and many other viruses and worms will also detect this
> > | new worm:
> > |
> > |     "^TV[nopqr][A-Z]...[AB]..A.A....*AAAA...*AAAA"

> >
> > Your post prompted me to try this in a redirect router, since it
> > sounded trivial (no need for the exiscan patch). I must be missing
> > something obvious, since I can't get it to work. I added this router
> > definition above the normal alias and local delivery routers:
> >
> > check_exe:
> >   driver    = redirect
> >   no_verify
> >   data        = ${if match { $message_body } \
> >         { "TV[nopqr][A-Z]...[AB]..A.A....*AAAA...*AAAA" } \

>
> Try:
> {TV[nopqr][A-Z]...[AB]..A.A....*AAAA...*AAAA}
>
> there. You're actually searching for the string:
> -- "TV[nopqr][A-Z]...[AB]..A.A....*AAAA...*AAAA" --
> (I put the double dash to show the space at the end).


Note that the pattern should match the beginning of a line -- i.e. the
'^' is important -- at least from a performance perspective. I'm not
sure if the "${if match { $message_body }" expression shown above will
stop on first match or not, but I assume it will and as such you may
save at least some of your CPU cycles if you put the '^' in (though of
course thanks to the inherent store-and-forward nature of SMTP you're
doomed to receive the entire body regardless).

--
                        Greg A. Woods


+1 416 218-0098                  VE3TCP            RoboHack <woods@???>
Planix, Inc. <woods@???>          Secrets of the Weird <woods@???>