Author: Alexander Meyer (spot-media AG) Date: To: exim-users Subject: [Exim] mydoom (aka W32.Novarg) filter
--
hi list,
if anyone is interested i wrote a little filter to exterminate the
mydoom/novarg mails that many of my users complained about.
here it is:
-snip-
# mydoom worm
if $h_subject: matches "(hello|hi|mail delivery
system|status|error||server report|test|status|mail transaction failed)"
then
if $message_body matches
"(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=)(\"(xzvmowb|text|rtiqubj|readme|doc(ument)?|body|data|test|message|file|dgewqbp|mgsmbl|rqyjx)\.(scr|pif|cmd|zip|exe|bat)\")"
then
if not error_message
then
logfile /var/log/exim_mydoom_reject 0600
logwrite "$tod_log $message_id $h_from => $h_to subject: $h_subject"
save /var/mail/exim_mydoom_rejects 0644
seen finish
endif
endif
endif
-snap-
regards,
ali.
--
[ Content of type application/pgp-signature deleted ]
--