[Mimedefang] Re: SoBig makes me rethink policy...
Kris Deugau
kdeugau at webhart.net
Fri Sep 5 15:42:01 EDT 2003
Andrzej Marecki wrote:
> A long time before Sobig-F appeared I had put the following code into my
> mimedefang-filter:
>
> if ($category eq "virus") {
> md_log('virus',$VirusName, $RelayAddr);
>
> # discard without notification Viruses which fake SMTP info
> return action_discard() if $VirusName =~ /(?i)klez|bugbear|nimda|hybris|yaha|braid|sobig/;
>
> # Bounce the mail!
> action_bounce("Virus $VirusName found in mail - rejected");
>
> return;
> }
I go a little bit further, and maintain a list of viruses (and nastyware
detected by the AV scanner currently in use) that do NOT forge the
sender address. This included one VBscript virus that attached itself
to legitimate messages. :(
Only the nastyware in that second list gets bounced or sender-notified;
anything not in either list gets quarantined and dropped. Neither list
is very long; but it's still been over a week since I saw anything
quarantined. <g> (~30K messages/week)
-kgd
--
<erno> hm. I've lost a machine.. literally _lost_. it responds to
ping, it works completely, I just can't figure out where in my
apartment it is.
More information about the MIMEDefang
mailing list