[svlug] How to get exim to reject klez?

[Joe McCabe]

Mark Symonds wrote:
> Done a bit of googling but without much result (yet), 
> so thought I would ask here if anyone knows of a recipe
> for the exim.conf that would kill it at the MTA.

I'm not using exim, but I have got a filter for my MUA that kills 90% of 
the Klez that show up. Pseudo-code of the filter is:

1) Check for attachment type of "multipart/alternative"
2) Check the subject for:

"^Hi$"
"How are you\"?$"
"Congratulations\"?$"
"Let.s be friends\"?$"
"Darling\"?$"
"Your password\"?$"
"Some questions\"?$"
"Please try again\"?"
"Welcome to my hometown\"?$"
"The garden of eden\"?$"
"Introduction on ADSL\"?$"
"Meeting notice\"?$"
"Questionnaire\"?$"
"SOS!\"?$"
"Japanese girl vs playboy\"?$"
"Look,my beautiful girl friend\"?$"
"Eager to see you\"?$"
"Spice girls. vocal concert\"?$"
"japanese lass' sexy pictures\"?$"
"your home page\"?$
"Worm Klez\.E immunity\"?$"
"Internet security update\"?$"
"A +(WinXP|IE 6\.0) +patch\"?"
"A( )+(very|special)? ( )?(funny|humour|excite|powful|new)? ( 
)?(website|game|tool)"
"W32\.(Elkern|Klez|Klez\.E) +removal +tools\"?$"
"Happy (Epiphany|Christmas)\"?$"
"^(Returned|Undeliverable) mail--\"[a-zA-Z]+\"$"
"Of service*\"?"
"So cool a flash,enjoy it\"?$"
"^$"

There's many more "stock" subjects that Klez uses, and Klez can 
construct Subjects based upon pages in the users browsre cache, so you 
can't catch everything.

Good luck.

--
Joe McCabe   Any clod can have the facts, but having
AOZilla?     opinions is an art.  -- Charles McCabe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3537 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.svlug.org/archives/svlug/attachments/20020612/fc955e2d/smime.bin