I'm getting a lot of MS-Dooms with message ID too, so i'm not bothering
with that approach
I'm worried about your setup though. At my small office, we're getting
several hundred msdooms per hour. they all have forged headers.
Your Deny is causing bounces on those. Lots of bounces.
You really should either discard though, or move them to a quarantine
and check hourly if you need to.
On Jan 29, 2004, at 11:49 AM, Matthew McClement wrote:
> David Woodhouse wrote:
>> On Tue, 2004-01-27 at 09:42 -0600, CJ Kucera wrote:
>>
>>> Hello, list...
>>>
>>> I was wondering if anyone happens to have an acl or the like which
>>> can be used to filter out MyDoom messages? Thanks...
>>
>>
>> This fragment of the DATA ACL seemed to catch them for me:
>>
>> # Deny messages without Message-ID, but allow bounces.
>> deny !senders = :
>> condition = ${if !def:h_Message-ID: {1}}
>> message = RFC2822 says you SHOULD have a Message-ID.\n\
>> Most messages without it are spam, so your mail has
>> been rejected.
>
> For some reason this only caught a small number of cases for me. I
> landed up constructing what can only be a horror of a data acl, but it
> works. For those interested:
>
> ----------
> deny condition = ${if match {$message_body}\
> {\N.*\
> UEsDBAoAAAAAA......zy5egAlgAAAJYAA.*\N}{true}}
> message = Looks like a MyDoom infected mail. E-mail
> postmaster@yourdomain.\n\
> if you think this was a false positive.
> log_message = "MyDoom ACL no. 1 hit, date: $header_date: "
> deny condition = ${if match {$message_body}\
> {\N.*\
> UEsDBAoAAAAAA......KJx.eAFgAAABYAA.*\N}{true}}
> message = Looks like a MyDoom infected mail. E-mail
> postmaster@yourdomain.\n\
> if you think this was a false positive.
> log_message = "MyDoom ACL no. 2 hit, date: $header_date: "
> deny condition = ${if match {$message_body}\
> {\N.*\
>
> QWRuwhLeZHJyFsetbllrtEilOBwrJ8OYMXsTGWAEvKwwhG6qzQlpQXePs2GNRklxNWtlZBN
> 2agul.*\
>
> YxILFUnSmWGSblIi5FUzNsGwsPXUQpMmSx2FFJx5orXascf4NmeMS2V5DE9wTd069.gLRSQ
> OOlaN.*\
>
> dWVhBwCGDyQRCTN3KaZ1bTAMr63ZbLM.ZMIIAW2j7rQ1zHNlomp3QxDz2N8MAwdpc2RpZ2k
> ZdXBw.*\
>
> c83NthF4EglmWwg4zVb4c3BhS0.NLFjA.nubVS9CdWZmQQ8LZ9qOPExvd3d2OXK2I1GYbdh
> 3CkfY.*\
> .*\N}{true}}
> message = Looks like a MyDoom infected mail. E-mail
> postmaster@yourdomain.\n\
> if you think this was a false positive.
> log_message = "MyDoom ACL no. 3 hit, date: $header_date: "
> ----------
>
> In case it gets munged by my mail client, you can also grab it here:
> http://www.rawimages.org/acl_fragment.txt
>
> Any suggestions/improvements are more than welcome, as I doubt I've
> done
> it in the most effecient manner possible.
>
> Matt
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users
> Exim details at http://www.exim.org/ ##
>
