[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Sobig.f in zmailer list

On Tue, 2003-08-26 at 01:47, Matti Aarnio wrote:

> > it'd be nice if the user at (189.winstar.net) whose PC 
> > identifies as "MICHAEL595" would eliminate the Sobig.F virus from his/her PC 
> > or at least, eliminate zmailer@nic.funet.fi from his/her contact list 
> > :-(
> Sorry,  you are pointing at the wrong source this time around.
> I checked message logs (accumulation mailboxes), no non-member
> postings have made to the list for quite a while.
> That damn thing is picking up addresses at random, and became
> so major nuisance that at work we installed following filter:
>   ftp://zmailer.org/zmailer/smtp-contentfilter.sobig
> I have begun to use parts of that filter at e.g. vger.kernel.org
> with  "-1 250 ..." response, e.g. silent discard, instead of
> more normal "-1 550 ..." rejection.

I have these things in the config for my "lean-mean-contentfilter"
(that is included with Zmailer):

# Viruses in attachments
B^Content-Type: application/octet-stream;^      *NAME=*.scr
B^Content-Type: application/octet-stream;^      *NAME=*.pif
B^Content-Type: application/octet-stream;^      *name=*.scr
B^Content-Type: application/octet-stream;^      *name=*.pif
B^email address. This email address will be expiring.

Note that the whitespace in the lines 5-8 *must* be TAB.
This checks all mail attachment viruses so far (but it can be easly
fooled, of course, if the virus writes specifically wants so).

Eugene Crosser, head of Internet Applications section, +7 501 787 1000
ROL, EDN Sovintel, Golden Telecom, http://user.rol.ru/~crosser/
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi