[Mimedefang] Dropping e-mails generated by the Sobig Virus

Rajesh Bhandari BhandaR at mail.nlm.nih.gov
Thu Aug 21 13:01:01 EDT 2003


We were getting snowed under, until one of our guys came up with a great idea - look at the attachment name, and if it matches, silently discard the mail.  We also notified our users that e-mail with these attachments would be silently discarded, and we have had no complaints, only cheering! It has worked wonders, and we have dropped about 25,000 e-mails in the last 15 hours or so.  

Here's the snippet.  This is in filter.  We already drop .pif and .scr, so I first check to see that the extension is on our bad list, and then if the filename is one of the SoBig ones, silently discard.
----------------------
    if (filter_bad_filename($entity)) {
        if ($fname =~ /your_document|document_all|thank_you|your_details|details|document_9446|application|wicked_scr|movie0045/i) {
                syslog('warning', "attachment $fname of type $ext discarded");
                return action_discard();
        }
.
.
—---------------------

Thank you David and MIMEDefang for coming to the rescue.

As an aside, we normally do about 15,000 mails a day - yesterday, we had 80,000, and the volume went practically unnoticed.  The Sendmail/MD/SA infrastructure was rock-solid.

Rajesh





More information about the MIMEDefang mailing list