Filter SoBig worm at server

**pwrhouse** · 08-20-2003, 09:16 PM

I am running Sendmail as my mail server and I was wondering if anybody knows a way to block the SoBig worm at the server so users don't have to download all of the messages and then delete them.

Thanks for any help.

**boblucci** · 08-21-2003, 12:22 PM

could you block mail by the subject in send mail? i dont know i'm not familiar with it.

The first thing i would block is the file extensions .pif and .scr

**pwrhouse** · 08-21-2003, 01:06 PM

I am not sure if you can block by by subject or body from Sendmail.
Any chance you know of a good tutorial for block certain file extensions? I have been looking but I haven' really found anything that suits my purposes.

Thanks.

**pwrhouse** · 08-21-2003, 02:36 PM

One more thing. I am not worried about users running the attachment, my concern is the volume of mail coming in. I would rather just completely dump all the worm emails emails.

Maybe drop all emails with "See the attached file for details" in the body.

**demian** · 08-21-2003, 02:55 PM

There's no one phrase in the subject or body of the SoBig mails that could unambiguously identify it as unwanted mail. Filtering for "See the attached file for details" could very well generate false positives as could filtering for the subject line this worm uses.

Your best bet is to run spamassassin. This is a very powerful spam filter that - provided you spend some time creating your set of rules - filters out most of your spam and viruses without generating false positives.

I do realize that this probably doesn't help you right away with the flood of SoBig mails you're getting at the moment but I really don't see any ad hoc method that would work reliably.