[Exim] mydoom (aka W32.Novarg) filter

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Reply to this message
Author: Alexander Meyer (spot-media AG)
Date:  
To: exim-users
Subject: [Exim] mydoom (aka W32.Novarg) filter
--
hi list,

if anyone is interested i wrote a little filter to exterminate the
mydoom/novarg mails that many of my users complained about.

here it is:

-snip-

# mydoom worm

if $h_subject: matches "(hello|hi|mail delivery
system|status|error||server report|test|status|mail transaction failed)"
then
if $message_body matches
"(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=)(\"(xzvmowb|text|rtiqubj|readme|doc(ument)?|body|data|test|message|file|dgewqbp|mgsmbl|rqyjx)\.(scr|pif|cmd|zip|exe|bat)\")"
then
if not error_message
then
logfile /var/log/exim_mydoom_reject 0600
logwrite "$tod_log $message_id $h_from => $h_to subject: $h_subject"
save /var/mail/exim_mydoom_rejects 0644
seen finish
endif
endif
endif

-snap-

regards,

ali.

--
[ Content of type application/pgp-signature deleted ]
--


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[Exim] empty line in headers, was it exim list server?Re: [Exim] Hello All->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)