[Mimedefang] Dropping e-mails generated by the Sobig Virus
Rajesh Bhandari
BhandaR at mail.nlm.nih.gov
Thu Aug 21 13:01:01 EDT 2003
We were getting snowed under, until one of our guys came up with a great idea - look at the attachment name, and if it matches, silently discard the mail. We also notified our users that e-mail with these attachments would be silently discarded, and we have had no complaints, only cheering! It has worked wonders, and we have dropped about 25,000 e-mails in the last 15 hours or so.
Here's the snippet. This is in filter. We already drop .pif and .scr, so I first check to see that the extension is on our bad list, and then if the filename is one of the SoBig ones, silently discard.
----------------------
if (filter_bad_filename($entity)) {
if ($fname =~ /your_document|document_all|thank_you|your_details|details|document_9446|application|wicked_scr|movie0045/i) {
syslog('warning', "attachment $fname of type $ext discarded");
return action_discard();
}
.
.
---------------------
Thank you David and MIMEDefang for coming to the rescue.
As an aside, we normally do about 15,000 mails a day - yesterday, we had 80,000, and the volume went practically unnoticed. The Sendmail/MD/SA infrastructure was rock-solid.
Rajesh
More information about the MIMEDefang
mailing list