[Mimedefang] Dropping e-mails generated by the Sobig Virus
Jakub Wasielewski
wasyl at opoka.info
Thu Aug 21 15:09:00 EDT 2003
Dnia 21/08/2003 13:00:08 -0400, Użytkownik Rajesh Bhandari napisał:
RB> We were getting snowed under, until one of our guys came up with a great idea - look at the attachment name, and if it matches, silently discard the mail. We also notified our users that e-mail with these attachments would be silently discarded, and we have had no complaints, only cheering! It has worked wonders, and we have dropped about 25,000 e-mails in the last 15 hours or so.
RB>
RB> Here's the snippet. This is in filter. We already drop .pif and .scr, so I first check to see that the extension is on our bad list, and then if the filename is one of the SoBig ones, silently discard.
RB> ----------------------
RB> if (filter_bad_filename($entity)) {
RB> if ($fname =~ /your_document|document_all|thank_you|your_details|details|document_9446|application|wicked_scr|movie0045/i) {
RB> syslog('warning', "attachment $fname of type $ext discarded");
RB> return action_discard();
RB> }
Hmm... maybe Sobig is a good reason for discard action, but think abo
ut having dozen such cases. Now araises the problem to notify the user
about sending virus or not to and discard. You could end up with huge
regexp or something like that making the decision... nasty. As we all
agree it is important to notify sender about virus infection.. if the
sender is not fake. The perfect solution IMO would be a possibility to
reject the entire e-mail in the last stage of SMTP dialog, after DATA,
with "450 Reason of reject". What do you think about that or maybe it
is already possible with MD??
--
Jakub Wasielewski
More information about the MIMEDefang
mailing list