[Esd-l] Useful virus trap

Marcus Williams marcus at quintic.co.uk
Tue Jun 15 02:41:29 PDT 2004

Hi -

Not sure if this is of any use to anyone, but it works really well

Basically, mail from our domain (quintic.co.uk) never comes from a
machine called quintic.co.uk, so the received lines in all incoming
emails should never contain a "HELO quintic.co.uk"

What I have noticed is a fair few viruses use the "HELO
recipient.domain" as the identifying domain when sending automated
virii to us, so in procmail I get to block quite a few using just:

# Trap anything claiming to come from quintic.co.uk
* ^Received: .*\(HELO quintic\.co\.uk\).*
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
          -A "X-Content-Security: [$HOST] QUARANTINE" \
          -A "X-Content-Security: [$HOST] REPORT: Bogus HELO from quintic.co.uk"



Marcus Williams -- http://www.quintic.co.uk
Quintic Ltd, 39 Newnham Road, Cambridge, UK
  This message is private [ ] public [*]

More information about the esd-l mailing list