On Tue, 2004-01-27 at 14:24, J Yunke wrote:
> Thought I'd pass this onto folks who use Exim & SPAM Assassin. I use
> sa-exim with exim4 and for some reason my system filter wasn't working
> properly.
/me references standard rant on MIME parsing within system filters - it
*cannot* be done.
exiscan's standard extension blocking appears to be getting this other
than .zip files which we do not block (the fact that a worm can
successfully propagate through .zip files shows that many windows users
are even more stupid than I ever suspected).
The mail engine of this worm appears to not put a message ID in the
message headers. You can therefore block it by rejecting messages
without a message ID:-
# Reject on no message-id/date from remote hosts
deny condition = ${if !def:h_Message-ID: {1}}
message = Message SHOULD have Message-ID: but does not
deny condition = ${if !def:h_Date: {1}}
message = Message SHOULD have Date: but does not
NB you may want rules in *prior* to these rules, or additions to these
rules to allow authenticated mail or local SMTP injected mail to bypass
this block. Or not.
These rules are running on exim.org. If you don't generate message-id
headers then you have been warned.
For other non-zip forms of attachment you could also look at last weeks
thread on matching MS executables.
Nigel.
--
[ Nigel Metheringham Nigel.Metheringham@??? ]
[ - Comments in this message are my own and not ITO opinion/policy - ]