Filtering W32.Sobig.F
We are receiving a lot of junk mail on our server, sent by people infected with the W32.Sobig.F worm/trogin. We are rejecting message based on headers. Here's the list of subject headers that I have seen used so far:
Re: Thank you! Thank you! Re: Details Your details Re: Re: My details Re: Approved Re: Re: Approved Re: Your application Re: Wicked screensaver Re: That movie
The virus also seems to always set the following headers:
X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0
Filtering based on Subject
, X-MailScanner
and X-Mailer
seems
pretty effective. Right now our server is rejecting a few of these messages a
minute. Now, if only people would stop using broken virus scanners that send
out useless messages the following:
Subject: Virus Alert The mail attachment file email-body was blocked, according to InterScan VirusWall's configuration. The action blocked was taken.
So many monkeys out there.