Re: [Exim] MyDoom filtering?

Top Page
Delete this message
Reply to this message
Author: Matthew McClement
Date:  
To: David Woodhouse
CC: exim-users
Subject: Re: [Exim] MyDoom filtering?
David Woodhouse wrote:
> On Tue, 2004-01-27 at 09:42 -0600, CJ Kucera wrote:
>
>>Hello, list...
>>
>>I was wondering if anyone happens to have an acl or the like which
>>can be used to filter out MyDoom messages? Thanks...
>
>
> This fragment of the DATA ACL seemed to catch them for me:
>
>   # Deny messages without Message-ID, but allow bounces.
>   deny  !senders = :
>         condition = ${if !def:h_Message-ID: {1}}
>         message = RFC2822 says you SHOULD have a Message-ID.\n\
>                   Most messages without it are spam, so your mail has been rejected.


For some reason this only caught a small number of cases for me. I
landed up constructing what can only be a horror of a data acl, but it
works. For those interested:

----------
   deny  condition = ${if match {$message_body}\
                         {\N.*\
                         UEsDBAoAAAAAA......zy5egAlgAAAJYAA.*\N}{true}}
         message = Looks like a MyDoom infected mail. E-mail
postmaster@yourdomain.\n\
                   if you think this was a false positive.
         log_message = "MyDoom ACL no. 1 hit, date: $header_date: "
   deny  condition = ${if match {$message_body}\
                         {\N.*\
                         UEsDBAoAAAAAA......KJx.eAFgAAABYAA.*\N}{true}}
         message = Looks like a MyDoom infected mail. E-mail
postmaster@yourdomain.\n\
                   if you think this was a false positive.
         log_message = "MyDoom ACL no. 2 hit, date: $header_date: "
   deny  condition = ${if match {$message_body}\
                         {\N.*\


QWRuwhLeZHJyFsetbllrtEilOBwrJ8OYMXsTGWAEvKwwhG6qzQlpQXePs2GNRklxNWtlZBN2agul.*\

YxILFUnSmWGSblIi5FUzNsGwsPXUQpMmSx2FFJx5orXascf4NmeMS2V5DE9wTd069.gLRSQOOlaN.*\

dWVhBwCGDyQRCTN3KaZ1bTAMr63ZbLM.ZMIIAW2j7rQ1zHNlomp3QxDz2N8MAwdpc2RpZ2kZdXBw.*\

c83NthF4EglmWwg4zVb4c3BhS0.NLFjA.nubVS9CdWZmQQ8LZ9qOPExvd3d2OXK2I1GYbdh3CkfY.*\
                         .*\N}{true}}
         message = Looks like a MyDoom infected mail. E-mail
postmaster@yourdomain.\n\
                   if you think this was a false positive.
         log_message = "MyDoom ACL no. 3 hit, date: $header_date: "
----------


In case it gets munged by my mail client, you can also grab it here:
http://www.rawimages.org/acl_fragment.txt

Any suggestions/improvements are more than welcome, as I doubt I've done
it in the most effecient manner possible.

Matt