blocking an email based on it's IP
Daniel Bird
dbird at SGHMS.AC.UK
Tue Sep 2 00:49:44 IST 2003
Jan-Peter Koopmann wrote:
>Hi,
>
>you can block most Sobig.F mails with this
>
>Sendmail-Filter:
>
>LOCAL_CONFIG
>Kstorage macro
>
>
>
>LOCAL_RULESETS
>HX-MailScanner: $>+CheckDateXMSc
>D{SobigFPat}Found to be clean
>D{SobigFMsg}This message may contain the Sobig.F virus.
>
>
>
>SCheckDateXMSc
>R${SobigFPat} $* $: $(storage {SobigFCheck} $@ SobigF $) $1
>R$* $@ OK
>
>
>
>HMessage-Id: $>CheckMessageId
>
>
>
>SCheckMessageId
># Record the presence of the header
>R$* $: $(storage {MessageIdCheck} $@ OK $) $1
>R$* $@ OK
>
>
>
>Scheck_eoh
># Check the macro
>R$* $: < $&{MessageIdCheck} >
># Clear the macro for the next message
>R$* $: $(storage {MessageIdCheck} $) $1
>R< $+ > $@ $>ClearSobig
>R$* $: < $&{SobigFCheck} >
>R$* $: $(storage {SobigFCheck} $) $1
>R< SobigF > $#error $: 553 ${SobigFMsg}
>R$* $@ OK
>
>
>
>SClearSobig
>R$* $: $(storage {SobigFCheck} $) $1
>R$* $@ OK
>
>
>
>
>Exim ACL:
>
>acl_smtp_data = acl_check_sobig
>
>acl_check_sobig:
> accept hosts = :
>
> deny message = Possible Sobig.f rejected
> condition = ${if and{{eq{$h_x-mailscanner:}{Found to be
>clean}}\
>
>{match{$h_message-id:}{@$primary_hostname>\$}}}{true}{false}}
>
>
>
> accept
>
>
>
>The idea being that Sobig-F uses a x-mailscanner header but does not
>provide a message ID. We are blocking most with this successfully.
>
>
>Regards,
> JP
>
>
>
The exim filter looks interesting, but is that likely to lead to any FP's?
--
____________________________________
Daniel Bird
Network & Systems Manager
St. George's Hospital Medical School
Tooting
London SW17 0RE
P: +44 20 8725 2897
F: +44 20 8725 3583
E: dan at sghms.ac.uk
____________________________________
Hex dump: Where witches put used curses...
"#define QUESTION ((bb) || !(bb)) - Shakespeare."
More information about the MailScanner
mailing list