[ On Tuesday, January 20, 2004 at 20:24:18 (-0500), Wakko Warner wrote: ]
> Subject: Re: [Exim] needed: beagle/bagle pattern
>
> > |...
> > | If I'm not mistaken the very same regular expression that detects mail
> > | bodies with sobig and many other viruses and worms will also detect this
> > | new worm:
> > |
> > | "^TV[nopqr][A-Z]...[AB]..A.A....*AAAA...*AAAA"
> >
> > Your post prompted me to try this in a redirect router, since it
> > sounded trivial (no need for the exiscan patch). I must be missing
> > something obvious, since I can't get it to work. I added this router
> > definition above the normal alias and local delivery routers:
> >
> > check_exe:
> > driver = redirect
> > no_verify
> > data = ${if match { $message_body } \
> > { "TV[nopqr][A-Z]...[AB]..A.A....*AAAA...*AAAA" } \
>
> Try:
> {TV[nopqr][A-Z]...[AB]..A.A....*AAAA...*AAAA}
>
> there. You're actually searching for the string:
> -- "TV[nopqr][A-Z]...[AB]..A.A....*AAAA...*AAAA" --
> (I put the double dash to show the space at the end).
Note that the pattern should match the beginning of a line -- i.e. the
'^' is important -- at least from a performance perspective. I'm not
sure if the "${if match { $message_body }" expression shown above will
stop on first match or not, but I assume it will and as such you may
save at least some of your CPU cycles if you put the '^' in (though of
course thanks to the inherent store-and-forward nature of SMTP you're
doomed to receive the entire body regardless).
--
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <woods@???>
Planix, Inc. <woods@???> Secrets of the Weird <woods@???>