Found a way to block Bagle
Denis Beauchemin
Denis.Beauchemin at USHERBROOKE.CA
Mon Mar 8 13:51:48 GMT 2004
Hi,
After analyzing the different Bagle viruses we received I created the
following SA rule to make those high-scoring and delete them:
describe UDES_VIRUS07 Bagle virus
header UDES_VIRUS07 From =~ /(administration|management|noreply|staff|support)\@usherb(rooke)?\.ca/i
score UDES_VIRUS07 100
All you have to do to use it is to replace "@usherb(rooke)?\.ca" with
your own domains.
Don't use this rule if any of the mentioned addresses is a real address
at your site!!!
I tried to do it in sendmail but couldn't because the envelope From is
not the same as the message From.
Denis
PS: My score is 100 because my high-scoring spam level is 75!
--
Denis Beauchemin, analyste
Université de Sherbrooke, S.T.I.
T: 819.821.8000x2252 F: 819.821.8045
More information about the MailScanner
mailing list