>-----Original Message-----
>From: Richard Humphrey [mailto:[EMAIL PROTECTED]
>Sent: Thursday, May 20, 2004 9:16 AM
>To: [EMAIL PROTECTED]
>Subject: Getting hammered by these emails
>
>
>I have been getting hammered with emails like this for weeks now and I
>hadnt really done anything about it because I was hoping they would
>subside soon, but they keep coming. I am not sure if this is spam, or
>the end result of virii bouncing around everywhere. Anyone else getting
>these and found a way to stop them? Unfortuantely I have to monitor a
>catchall box to catch mail from users no longer here, so we are getting
>alot of these for people that used to work here, still work here, and
>users who have never worked here. All of these emails contain
>attachments (virii or trojans) but fortunately our firewall strips the
>attachment and lets the mail come through.
>
>
>Header
>
>Return-Path: <[EMAIL PROTECTED]>
>Received: from multicam.com (adsl-64-173-247-195.dsl.lsan03.pacbell.net
>[64.173.247.195])
> by mail.multicam.com (8.12.8/8.12.8) with ESMTP id i4K4AZPX023899
> for <[EMAIL PROTECTED]>; Wed, 19 May 2004 23:10:36 -0500
>Message-Id: <[EMAIL PROTECTED]>
>From: [EMAIL PROTECTED]
>To: [EMAIL PROTECTED]
>Subject: Mail Delivery (failure [EMAIL PROTECTED])
>Date: Wed, 19 May 2004 21:04:22 -0700
>MIME-Version: 1.0
>Content-Type: multipart/related;
> type="multipart/alternative";
> boundary="----=_NextPart_000_001B_01C0CA80.6B015D10"
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Virus-Scanned: clamd / ClamAV version 0.70, clamav-milter
>version 0.70j
>X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
>mail.multicam.com
>X-Spam-Level: ***
>X-Spam-Status: No, hits=3.3 required=6.0 tests=BAYES_00,FCS_URI_NODOTS,
>
>HTML_MESSAGE,HTML_RELAYING_FRAME,MISSING_MIMEOLE,MSGID_FROM_MTA_SHORT,
> NO_REAL_NAME,PRIORITY_NO_NAME autolearn=no version=2.63
>
>
>
>
>Body of message
>
>
>
>If the message will not displayed automatically,
>follow the link to read the delivered message.
>
>Received message is available at:
>www.multicam.com/inbox/judy/read.php?sessionid-18629
>
>
>
The key to this virus is this line:
Received: from multicam.com (adsl-64-173-247-195.dsl.lsan03.pacbell.net
[64.173.247.195])
it is your domain, but NOT your IP. What you need to do is write a rule for
that.
Something like: (mind the line wrap!)
header NOT_ME Received =~ /^from multicam\.com
\(.{1,20}\.{1,20}\.(?:com|net|biz)\) \[[^4]\.[^22]\.[^143]\.[^67]\)/i
WHEW! THat was off the top of my head, so it may need some work ;)
Chris Santerre
System Admin and SARE Ninja
http://www.rulesemporium.com
'It is not the strongest of the species that survives,
not the most intelligent, but the one most responsive to change.'
Charles Darwin
