RE: SoBIG
- From: "Bob Jiantonio" <bobj@xxxxxxxxxxxxxxxxxxxx>
- To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
- Date: Thu, 4 Sep 2003 12:39:48 -0400
In iHateSpam Server Edition we did this as custom rule to delete them at
SMTP:
It's a virus, and when stripped of its infected file it appears to be
spam, or might as well be. What you do is what we have done here. We
set up custom filtering rules based off of the subject line of each of
the different messages. You can see the subjects at the following
Symantec article:
http://www.symantec.com/avcenter/venc/data/w32.sobig.f@xxxxxxx
What we did was use the body for a property, like as an operator, each
of the subjects (omitting the Re:) and gave it a weight equal to our
delete threshold (or a little higher).
use "like" and not "=" as the operator, give it 6500 points as added
weight. Since default delete threshold is 6000, this will ensure they
are deleted at the server, not even get to your users.
Eval copy here:
http://www.sunbelt-software.com/product.cfm?id=931
If you do download and want me to support you as a techie, I will
support you, and answer any questions so add BOBJ EMAILED ME to the
Download form in notes / comments.
Bob
Sunbelt Software
-----Original Message-----
From: Frederic Giroux [mailto:fgiroux@xxxxxxxxxxxxxx]
Sent: Thursday, September 04, 2003 12:26 PM
To: [ExchangeList]
Subject: [exchangelist] RE: SoBIG
http://www.MSExchange.org/
Craig Weil said...
______________________________________________________________________
I run an Exchange 2000 server using Panda Antivirus and have applied all
of the latest patches to the machine. All of my network machines also
have Panda and the latest virus definitions and Windows patches. My
server catches SoBig on a regular basis (last count over 2800
incidences). Lately I've been receiving automated notifications from
other organizations that my mail is undeliverable due to the SoBig
virus. These are emails that I'm not even sending, and I understand
that this is the way SoBig operates, however I'm not sure how I could be
sending these emails given the scenario I first described (updates and
antivirus on all machines). I've even tried running a SoBig.F removal
tool and have found nothing on any of my machines. Anyone have some
advice?
______________________________________________________________________
SoBig spoofs email addresses. So, the emails people are
receiving seem to come from your system but they don't. Don't worry
about it since there is absolutely nothing you can do regarding this
spoofing matter.
Fred
______________________________
Frederic Giroux
LAN Administrator
CyberCap
fgiroux@xxxxxxxxxxxxxx
http://www.cybercap.qc.ca
33 Prince St.
Suite 301
Montreal, Qc
H3C 2M7
(514) 861-7700 ext. 303
Fax : (514) 861-7700
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 ISA
Server Resource Site: http://www.isaserver.org Windows Security Resource
Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
bobj@xxxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
