[Mimedefang] Re: How to stop Neroma / 911 virus?
Jeremy Mates
jmates at sial.org
Thu Sep 4 18:27:03 EDT 2003
* Mike Heller <mike at dsny.com>
> So, suppose I wanted to block messages that had "911!" in the subject,
> how would I do that?
sub filter_begin {
...
if ($Subject =~ /911!/) {
action_quarantine_entire_message("virus: possible 911 virus");
return action_discard();
}
Or just action_bounce, depending. You could easily get false positives
with such a subject action, notably Windows users e-mailing each other
with subjects like "do not open 911!" Quarantine lets one examine the
messages and either kill or resubmit it, assuming logic in the filter to
avoid requarantine from local mail.
I also recommend against "send_quarantine_notifications" as this results
in a one-for-one quarantine to admin e-mail, e.g. 10,000 viruses to
10,000 notifications. A script that periodically wanders through MD-
Quarantine and figures out what needs to be reviewed, deleted, or
otherwise handled would work better. In this case, write your quarantine
messages in a way that assists the script in parsing the messages
written to the MSG.# files.
More information about the MIMEDefang
mailing list