Hi Dan,
Here is what I whipped up this morning
header __YM_HF_BEAGLE_K From =~
/(?:management|administration|staff|noreply|support)\@(?:yourdomain1|you
rdomain2|yourdomain3)/i
body __YM_B_BEAGLE_K /^(?:dear|hello) user/i
meta YM_BEAGLE_K (__YM_HF_BEAGLE_K && __YM_B_BEAGLE_K)
describe YM_BEAGLE_K Message contains the "Bagle.K/Beagle.K" virus
tflags YM_BEAGLE_K learn
score YM_BEAGLE_K 20.0
I think this should work for .J as well.
NOTE: SA is not a replacement for AV, this rule was written to cut down
on the flood of questions from users as to what these messages meant and
why there was a text file in the email stating that the zip file was
removed.
-matt
________________________________
From: Dan Spray [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 03, 2004 11:22 AM
To: [EMAIL PROTECTED]
Subject: New Beagle.J virus problems
Hello all,
I am sure that some or all of you have seen the effects of the
new Beagle.J virus. My question is, how do I blacklist the from address
when it is my own domain? For example, they show that they are coming
from [EMAIL PROTECTED] This account doesn't even exist. How
do I blacklist messages coming from the account?
Thanks,
Dan
--
Dan Spray, Director of Internet Operations [EMAIL PROTECTED]
<BLOCKED::mailto:[EMAIL PROTECTED]> Connecting Point Norfolk, NE
<http://www.conpoint.com/ <BLOCKED::http://www.conpoint.com/> >
Voice - 402.844.2308 Fax - 402.371.4515
"The porcupine with the sharpest quills gets stuck on a tree
more often."
--
