Sobig getting tagged as spam not virus

John Rudd jrudd at UCSC.EDU
Fri Aug 22 20:15:18 IST 2003 

Sveinn Gunnarsson wrote:
>
> Hi all...
>
> I just wanted to share my 2 pennies, on who I'm blocking most of the Sobig-F
> emails
> on my doorsteps, without it even getting scanned, and saving valuable CPU time
> and
> keeping my mailqueues down.
>
> By adding this little macro to sendmail.cf, I reject all emails with the
> Sobig-F subjects,
> during SMTP. Note, that this only works for sendmail, and that sendmail has to
> be compiled
> with regex support.
>
> # Sobig subjects regex
> Ksobig regex -a_at_MATCH_SOBIG ^(Re: That movie|Re: That movie|Re: Wicked
> screensaver|Re: Your application|Re: Approved|Re: Re: My details|Re:
> Details|Your details|Thank you!)
>
> # Reject all mail with Sobig subjects.
> HSubject:       $>Check_sobig
> SCheck_sobig
> R$*                             $: $(sobig $&{currHeader} $: $1 $)
> R_at_MATCH_SOBIG                $#error $: "550 Possible Sobig-F - Please change subject: "
> $&{currHeader}
>
> Hope this helps someone out there...
>
>

It helped me, but more inspirationally than directly.  Your lines didn't
work with my version of sendmail (8.10.1 ; don't tell me to upgrade,
that's already in the works, only not to a newer sendmail, to
communigate pro).  Here's what I put, as the first REWRITING RULE:

# Reject all mail with Sobig subjects.
HSubject:               $>Check_subject
D{Msobig1}Re: That movie
D{Msobig2}Re: Wicked screensaver
D{Msobig3}Re: Your application
D{Msobig4}Re: Approved
D{Msobig5}Re: Re: My details
D{Msobig6}Re: Details
D{Msobig7}Your details
D{Msobig8}Thank you!
D{Mmsg} Possible Sobig-F - Please change subject:

SCheck_subject
R${Msobig1} $*          $#error $: 550 ${Mmsg}
R${Msobig2} $*          $#error $: 550 ${Mmsg}
R${Msobig3} $*          $#error $: 550 ${Mmsg}
R${Msobig4} $*          $#error $: 550 ${Mmsg}
R${Msobig5} $*          $#error $: 550 ${Mmsg}
R${Msobig6} $*          $#error $: 550 ${Mmsg}
R${Msobig7} $*          $#error $: 550 ${Mmsg}
R${Msobig8} $*          $#error $: 550 ${Mmsg}


And, note, any place you see a long string of spaces, those are tabs.

This is working like a charm here.

More information about the MailScanner mailing list