Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Create a Mail rule to block the w32.sobig.f spam worm' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Create a Mail rule to block the w32.sobig.f spam worm
Authored by: leebennett on Aug 21, '03 08:16:17PM
You don't need all these rule conditions. I've described here that you only need to set a rule to look for the bogus header, X-MailScanner: Found to be clean. Then, just set its action to delete the message.

[ Reply to This | # ]
Create a Mail rule to block the w32.sobig.f spam worm
Authored by: mprewitt on Aug 22, '03 09:37:06AM

Cool. Assuming this header is not used by legitimate email (which I am fairly confident it is not), this hint is the king -- at least as far as this particular worm is concerned.



[ Reply to This | # ]
Create a Mail rule to block the w32.sobig.f spam worm
Authored by: bignumbers on Aug 25, '03 10:31:50AM
Please note that this IS a perfectly legit header used by the "mailscanner" program. If your mail server uses (or in the future installs) mailscanner, this will flag every "good" message as having the virus. The virus author inserted it as a rouse to try to bypass mailscanner (which it does not). More info at: http://www.sng.ecs.soton.ac.uk/mailscanner/sobig.html I also think the same header is used by SpamAssassin, and could result in the same mass false-positive.

[ Reply to This | # ]