In iHateSpam Server Edition we did this as custom rule to delete them at SMTP: It's a virus, and when stripped of its infected file it appears to be spam, or might as well be. What you do is what we have done here. We set up custom filtering rules based off of the subject line of each of the different messages. You can see the subjects at the following Symantec article: http://www.symantec.com/avcenter/venc/data/w32.sobig.f@xxxxxxx What we did was use the body for a property, like as an operator, each of the subjects (omitting the Re:) and gave it a weight equal to our delete threshold (or a little higher). use "like" and not "=" as the operator, give it 6500 points as added weight. Since default delete threshold is 6000, this will ensure they are deleted at the server, not even get to your users. Eval copy here: http://www.sunbelt-software.com/product.cfm?id=931 If you do download and want me to support you as a techie, I will support you, and answer any questions so add BOBJ EMAILED ME to the Download form in notes / comments. Bob Sunbelt Software -----Original Message----- From: Frederic Giroux [mailto:fgiroux@xxxxxxxxxxxxxx] Sent: Thursday, September 04, 2003 12:26 PM To: [ExchangeList] Subject: [exchangelist] RE: SoBIG http://www.MSExchange.org/ Craig Weil said... ______________________________________________________________________ I run an Exchange 2000 server using Panda Antivirus and have applied all of the latest patches to the machine. All of my network machines also have Panda and the latest virus definitions and Windows patches. My server catches SoBig on a regular basis (last count over 2800 incidences). Lately I've been receiving automated notifications from other organizations that my mail is undeliverable due to the SoBig virus. These are emails that I'm not even sending, and I understand that this is the way SoBig operates, however I'm not sure how I could be sending these emails given the scenario I first described (updates and antivirus on all machines). I've even tried running a SoBig.F removal tool and have found nothing on any of my machines. Anyone have some advice? ______________________________________________________________________ SoBig spoofs email addresses. So, the emails people are receiving seem to come from your system but they don't. Don't worry about it since there is absolutely nothing you can do regarding this spoofing matter. Fred ______________________________ Frederic Giroux LAN Administrator CyberCap fgiroux@xxxxxxxxxxxxxx http://www.cybercap.qc.ca 33 Prince St. Suite 301 Montreal, Qc H3C 2M7 (514) 861-7700 ext. 303 Fax : (514) 861-7700 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: bobj@xxxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')