blocking an email based on it's IP

Jan-Peter Koopmann Jan-Peter.Koopmann at SECEIDOS.DE
Mon Sep 1 17:27:52 IST 2003


Hi,

you can block most Sobig.F mails with this

Sendmail-Filter:

LOCAL_CONFIG
Kstorage macro



LOCAL_RULESETS
HX-MailScanner:         $>+CheckDateXMSc
D{SobigFPat}Found to be clean
D{SobigFMsg}This message may contain the Sobig.F virus.



SCheckDateXMSc
R${SobigFPat} $*        $: $(storage {SobigFCheck} $@ SobigF $) $1
R$*                     $@ OK



HMessage-Id:            $>CheckMessageId



SCheckMessageId
# Record the presence of the header
R$*                     $: $(storage {MessageIdCheck} $@ OK $) $1
R$*                     $@ OK



Scheck_eoh
# Check the macro
R$*                     $: < $&{MessageIdCheck} >
# Clear the macro for the next message
R$*                     $: $(storage {MessageIdCheck} $) $1
R< $+ >                 $@ $>ClearSobig
R$*                     $: < $&{SobigFCheck} >
R$*                     $: $(storage {SobigFCheck} $) $1
R< SobigF >             $#error $: 553 ${SobigFMsg}
R$*                     $@ OK



SClearSobig
R$*                     $: $(storage {SobigFCheck} $) $1
R$*                     $@ OK




Exim ACL:

acl_smtp_data = acl_check_sobig

acl_check_sobig:
        accept hosts = :
        
        deny message    = Possible Sobig.f rejected
             condition  = ${if and{{eq{$h_x-mailscanner:}{Found to be
clean}}\
 
{match{$h_message-id:}{@$primary_hostname>\$}}}{true}{false}}



        accept



The idea being that Sobig-F uses a x-mailscanner header but does not
provide a message ID. We are blocking most with this successfully.


Regards,
 JP




More information about the MailScanner mailing list