(I was going to point you to the MailArchive website rather than re-post, but I couldn't find my own message there.)
You're probably getting 4 kinds of nuisance messages: 1) The SoBig.F virus messages 2) Broken versions of the message with all the text but no virus 3) Bounce notifications (undeliverables) from other mailservers 4) Virus notifications from other mailservers Don't drop notices to Postmaster unless you really really have to, and then only do it temporarily. If you have Declude JunkMail, your best option is to gather up all the bad messages you can find, or troll your declude logs, find the IP addresses of the stations that are sending the messages and then use your favourite technique to blacklist the IP (firewall, Imail kill list, your own declude ipfile). This is safe because the virus uses its own SMTP engine, so you will only be blocking infected workstations, not valid mailservers. If you have Declude JunkMail *Pro* you can do text filtering. Here's a sample config and text file you could use and tune to your liking that is eating most of the 4 kinds of messages I'm getting. List members here who have adopted this technique won't even get *this* message if they've adopted it. My global.cfg has: BADNOTIFY filter D:\IMail\Declude\BadNotify.txt x 0 0 and BADNOTIFY HOLD If you want BADNOTIFY to show up in your "Total weight =" lines in your decMMDD.log file, don't make the triggered weight equal zero. Andrew 8) -----Original Message----- From: junk mail [mailto:[EMAIL PROTECTED] Sent: Friday, August 22, 2003 9:48 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] OT: Declude notification and SoBig assault. We are only running Declude JunkMail is anyone setting up any rules to filter out the SoBig virus other than using Declud virus software. Thanks, Dom
#Use this file to hold any messages that contain VIRAL text you know you want to #filter on regardless of the other tests or weights. The weight is 0 #because our action is going to be HOLD, not WARN. # #Each line begins with a comment like this or is in the format: # #location weight filtertype filtertext # #location can be: BODY HEADERS HELO MAILFROM REMOTEIP REVDNS or SUBJECT # #weight can be a positive or negative number to add to the total weight # #filtertype can be: CONTAINS STARTSWITH ENDSWITH or IS # #filtertext is the case insensitive text you want to match # #e.g. # #HELO 8 CONTAINS $domain #SUBJECT 3 CONTAINS enlarge #MAILFROM 3 STARTSWITH $success$@ #Aug-20-2003 AC Dumn ass Internet virus scanners that believe the spoofed sender # in viral e-mails. We don't need their bogus warnings. SUBJECT 0 STARTSWITH Antigen found VIRUS= SUBJECT 0 STARTSWITH ScanMail Message: To SUBJECT 0 STARTSWITH Disallowed attachment type found in sent message SUBJECT 0 IS Mail status report BODY 0 CONTAINS destination server said: Message rejected due to possible virus BODY 0 CONTAINS Our virus detector has just been triggered by a message you sent: BODY 0 CONTAINS The virus detector said this about the message: BODY 0 CONTAINS Antigen for Exchange removed BODY 0 CONTAINS was found to match the FILE FILTER= *.pif file filter BODY 0 CONTAINS was found to match the FILE FILTER= *.exe file filter
