[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Sobig.f in zmailer list
On Tue, 2003-08-26 at 01:47, Matti Aarnio wrote:
> > it'd be nice if the user at 63.142.145.189 (189.winstar.net) whose PC
> > identifies as "MICHAEL595" would eliminate the Sobig.F virus from his/her PC
> > or at least, eliminate zmailer@nic.funet.fi from his/her contact list
> > :-(
>
> Sorry, you are pointing at the wrong source this time around.
> I checked message logs (accumulation mailboxes), no non-member
> postings have made to the list for quite a while.
>
> That damn thing is picking up addresses at random, and became
> so major nuisance that at work we installed following filter:
>
> ftp://zmailer.org/zmailer/smtp-contentfilter.sobig
>
> I have begun to use parts of that filter at e.g. vger.kernel.org
> with "-1 250 ..." response, e.g. silent discard, instead of
> more normal "-1 550 ..." rejection.
I have these things in the config for my "lean-mean-contentfilter"
(that is included with Zmailer):
# Viruses in attachments
B^Content-Type:*NAME=*.scr
B^Content-Type:*NAME=*.pif
B^Content-Type:*name=*.scr
B^Content-Type:*name=*.pif
B^Content-Type: application/octet-stream;^ *NAME=*.scr
B^Content-Type: application/octet-stream;^ *NAME=*.pif
B^Content-Type: application/octet-stream;^ *name=*.scr
B^Content-Type: application/octet-stream;^ *name=*.pif
B^Content-Type:*NAME=your_details.zip
B^Content-Type:*name=your_details.zip
B^Content-Type:*NAME="your_details.zip"
B^Content-Type:*name="your_details.zip"
B^email address. This email address will be expiring.
Note that the whitespace in the lines 5-8 *must* be TAB.
This checks all mail attachment viruses so far (but it can be easly
fooled, of course, if the virus writes specifically wants so).
--
Eugene Crosser, head of Internet Applications section, +7 501 787 1000
ROL, EDN Sovintel, Golden Telecom, http://user.rol.ru/~crosser/
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi