On 2004-06-11 19:08:09 +0200, Hanno Hecker wrote: > this little plugin filters the mails generated by the Sober.G worm. The main reason > why it works (worksforme[tm] ;->) is the fsck'd up Message-ID header: qmails > Message-IDs always match > /^<[EMAIL PROTECTED]>$/ > See qmail-1.03/newfield.c, line 26 ff. > Maybe some other (spam) mails will be denied too, but none with a > regular qmail Message-ID.
Strangely enough, shortly after activating the plugin I got this log
entry:
2004-06-11T20:38:22 7597 sober_filter plugin: sober_filter:
Denied I-Worm.Sober.* mail with Subject:
'Zustellung wegen Virus verweigert. Ihr Betreff:Dein Zeug's!
It looks like a bounce message for a Sober.G. I'm quite happy with the
effect, but I'm wondering why the filter would catch it. Maybe there are
some virus checkers which reuse the message-id of the viral message for
the bounce?
hp
--
_ | Peter J. Holzer | I think we need two definitions:
|_|_) | Sysadmin WSR | 1) The problem the *users* want us to solve
| | | [EMAIL PROTECTED] | 2) The problem our solution addresses.
__/ | http://www.hjp.at/ | -- Phillip Hallam-Baker on spam
pgp6yzYLUsYKF.pgp
Description: PGP signature
