On Fri, Sep 12, 2003 at 05:09:02PM -0400, Steven W. Orr is rumored to have said: > > What I'm looking for is a set of recipes for rejecting the Sobig:F virus > based on the text that appears in the Subject line.
Filenames would be better. I wrote a rule a couple of weeks ago for the filenames for someone.. here it is: ----- This really isn't the job of SA - you should have antivirus integrated with your MTA (if your situation allows). This isn't tested, +but based on my latest Sobig catch, this *should* work: rawbody SOBIG_VIRUS +/^\tfilename=\"(?:movie0045\.pif|wicked_scr\.scr|application\.pif|document_9446\.pif|details\.pif|your_details\.pif|thank_you\.pif| +document_all\.pif|your_document\.pif)\"$/ ----- > In addition, it would be interesting if > someone also had a check in there for the X-MailScanner header which also > accompanies it. BAD IDEA. MailScanner is a legitimate product and you'd be blocking/rejecting/mis-classifying a LOT of legitimate mail. FYI - Sobig.F is now EOL. The only systems still sending it out have an incorrectly set date. -- "I've just learned about his illness. Let's hope it's nothing trivial." - Irvin S. Cobb ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
