Found a way to block Bagle
Chris Yuzik
chris at FRACTALWEB.COM
Mon Mar 8 16:39:10 GMT 2004
Hi Denis,
There have been other quickie spamassassin rules for detecting this
particular virus. I'm not sure how well they work because I jumped on
the "upgrade MailScanner every other day last week" bandwagon. The new
MailScanner works great.
BTW, your high-scoring spam level is 75??? Mine is set to 15. I have yet
to see a false-positive above 9, and I process about 90k+ messages a month.
Cheers,
Chris
Denis Beauchemin wrote:
>Hi,
>
>After analyzing the different Bagle viruses we received I created the
>following SA rule to make those high-scoring and delete them:
>describe UDES_VIRUS07 Bagle virus
>header UDES_VIRUS07 From =~ /(administration|management|noreply|staff|support)\@usherb(rooke)?\.ca/i
>score UDES_VIRUS07 100
>
>All you have to do to use it is to replace "@usherb(rooke)?\.ca" with
>your own domains.
>
>Don't use this rule if any of the mentioned addresses is a real address
>at your site!!!
>
>I tried to do it in sendmail but couldn't because the envelope From is
>not the same as the message From.
>
>Denis
>PS: My score is 100 because my high-scoring spam level is 75!
>
>
More information about the MailScanner
mailing list