I was struggling to keep up with the flood of SoBig.F emails hitting my inbox, and getting quite concerned for my chances of any mobile computing. Downloading an inbox with several hundred 100k attachments via your mobile phone is not an enticing proposition – especially when you pay per kilobyte used.
The mailserver I run is exim 3.*, so I spent some time trawling the exim mailing list archives and filter documentation, to see if I could block them before I had to download them. It is possible, and actually pretty straightforward – all you need is a .forward file in your home directory on the server that looks like this:
# Exim filter
if error_message then finish endif
if $header_subject: is "Re: Your Application"
or $header_subject: is "Re: My Details"
or $header_subject: is "Re: Details"
or $header_subject: is "Your Details"
or $header_subject: is "Re: That movie"
or $header_subject: is "Re: Wicked screensaver"
or $header_subject: is "Re: Details"
or $header_subject: is "Re: Thank you!"
or $header_subject: is "Thank you!"
or $header_subject: is "Re: Approved"
or $header_subject: is "Re: Re: My details"
then
save /home/savs/sobig
endif
It seems to be doing the trick – it’s been running for about 20 minutes and has so far zapped 18 virus emails. The downside is this still won’t help reduce the server’s incoming traffic, but we still have a fair way to go before we hit the 40gb allowance limit.
(There are more sophisticated methods for exim 4 users, but as I’m running the stable distribution of Debian, this isn’t an option for me.)
Update: You can now monitor the battle almost live.
Related posts: