[Esd-l] Useful virus trap
Marcus Williams
marcus at quintic.co.uk
Tue Jun 15 02:41:29 PDT 2004
Hi -
Not sure if this is of any use to anyone, but it works really well
here...
Basically, mail from our domain (quintic.co.uk) never comes from a
machine called quintic.co.uk, so the received lines in all incoming
emails should never contain a "HELO quintic.co.uk"
What I have noticed is a fair few viruses use the "HELO
recipient.domain" as the identifying domain when sending automated
virii to us, so in procmail I get to block quite a few using just:
#-------------------------------------------------------------------------------
# Trap anything claiming to come from quintic.co.uk
#
:0hfi
* ^Received: .*\(HELO quintic\.co\.uk\).*
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
-A "X-Content-Security: [$HOST] QUARANTINE" \
-A "X-Content-Security: [$HOST] REPORT: Bogus HELO from quintic.co.uk"
#-------------------------------------------------------------------------------
HTH,
Marcus
--
Marcus Williams -- http://www.quintic.co.uk
Quintic Ltd, 39 Newnham Road, Cambridge, UK
This message is private [ ] public [*]
More information about the esd-l
mailing list