[Exim] mydoom (aka W32.Novarg) filter

Pàgina inicial
Delete this message
Reply to this message
Autor: Alexander Meyer (spot-media AG)
Data:  
A: exim-users
Assumpte: [Exim] mydoom (aka W32.Novarg) filter
--
hi list,

if anyone is interested i wrote a little filter to exterminate the
mydoom/novarg mails that many of my users complained about.

here it is:

-snip-

# mydoom worm

if $h_subject: matches "(hello|hi|mail delivery
system|status|error||server report|test|status|mail transaction failed)"
then
if $message_body matches
"(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=)(\"(xzvmowb|text|rtiqubj|readme|doc(ument)?|body|data|test|message|file|dgewqbp|mgsmbl|rqyjx)\.(scr|pif|cmd|zip|exe|bat)\")"
then
if not error_message
then
logfile /var/log/exim_mydoom_reject 0600
logwrite "$tod_log $message_id $h_from => $h_to subject: $h_subject"
save /var/mail/exim_mydoom_rejects 0644
seen finish
endif
endif
endif

-snap-

regards,

ali.

--
[ Content of type application/pgp-signature deleted ]
--