blocking an email based on it's IP
Jan-Peter Koopmann
Jan-Peter.Koopmann at SECEIDOS.DE
Mon Sep 1 17:27:52 IST 2003
Hi,
you can block most Sobig.F mails with this
Sendmail-Filter:
LOCAL_CONFIG
Kstorage macro
LOCAL_RULESETS
HX-MailScanner: $>+CheckDateXMSc
D{SobigFPat}Found to be clean
D{SobigFMsg}This message may contain the Sobig.F virus.
SCheckDateXMSc
R${SobigFPat} $* $: $(storage {SobigFCheck} $@ SobigF $) $1
R$* $@ OK
HMessage-Id: $>CheckMessageId
SCheckMessageId
# Record the presence of the header
R$* $: $(storage {MessageIdCheck} $@ OK $) $1
R$* $@ OK
Scheck_eoh
# Check the macro
R$* $: < $&{MessageIdCheck} >
# Clear the macro for the next message
R$* $: $(storage {MessageIdCheck} $) $1
R< $+ > $@ $>ClearSobig
R$* $: < $&{SobigFCheck} >
R$* $: $(storage {SobigFCheck} $) $1
R< SobigF > $#error $: 553 ${SobigFMsg}
R$* $@ OK
SClearSobig
R$* $: $(storage {SobigFCheck} $) $1
R$* $@ OK
Exim ACL:
acl_smtp_data = acl_check_sobig
acl_check_sobig:
accept hosts = :
deny message = Possible Sobig.f rejected
condition = ${if and{{eq{$h_x-mailscanner:}{Found to be
clean}}\
{match{$h_message-id:}{@$primary_hostname>\$}}}{true}{false}}
accept
The idea being that Sobig-F uses a x-mailscanner header but does not
provide a message ID. We are blocking most with this successfully.
Regards,
JP
More information about the MailScanner
mailing list