[linux-elitists] sobig.f: Microsoft Windows virus, not computer virus

Marc MERLIN marc@merlins.org
Sun Aug 31 12:15:16 PDT 2003


On Sat, Aug 23, 2003 at 07:05:45PM +0000, Drew Streib wrote:
> On Sat, Aug 23, 2003 at 11:58:56AM -0700, Aaron Lehmann wrote:
> > Got a simple pattern to stop these, like a procmail rule? My account
> > is getting 200MB (2000) of them a day. Spamassassin has been filing
> > them away into the suspected spam folder, but they're taking up a lot
> > of diskspace and spamassassin time.
> 
> Exim filter rules follow. See the exim filter specification for how
> to enable these (very very easy).
> 
> These could also be put in one regexp very easily. I just filter on 
> the known filenames for sobig.f.

So, the grand total of sobig.f that hit my system, is exactly: 0

Why?
/var/lib/exim4/config.autogenerated:

Because of the following ACLs:

  deny    message       = "HELO/EHLO required by SMTP RFC"
          condition     = ${if eq{$sender_helo_name}{}{yes}{no}}
.ifdef TEERGRUBE
          delay         = TEERGRUBE
.endif

  deny    message       = "Invalid domain or IP given in HELO/EHLO"
         !condition     = ${if match{$sender_helo_name}{\\\.}{yes}{no}}
.ifdef TEERGRUBE
          delay         = TEERGRUBE
.endif

All of sobig got hit by the second one because it sent a windows
unqualified name

Marc
-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/   |   Finger marc_f@merlins.org for PGP key



More information about the linux-elitists mailing list