Mail filters not working correctly (SoBig Virus bouces)

[hostultra]

I setup a filter on my email account to block any messages which the message body contained the word "octet-stream" (without the quotes) but it DOES NOT WORK!!!
The mail is still getting to me, why isnt the filter working?

Im trying to block these:

Hi. This is the qmail-send program at krusty.metrocomia.dk.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<egw@netguide.dk>:
Sorry, no mailbox here by that name. vpopmail (#5.1.1)

--- Below this line is a copy of the message.

Return-Path: <admin@*******.com>
Received: (qmail 6954 invoked from network); 3 Sep 2003 17:39:04 -0000
Received: from unknown (HELO GEORGE) (217.42.112.1)
by 213.173.246.98 with SMTP; 3 Sep 2003 17:39:04 -0000
From: <admin@********com>
To: <egw@netguide.dk>
Subject: Re: Details
Date: Wed, 3 Sep 2003 18:54:25 +0100
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_01DF2665"

This is a multipart message in MIME format

--_NextPart_000_01DF2665
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Please see the attached file for details.
--_NextPart_000_01DF2665
Content-Type: application/octet-stream;
name="wicked_scr.scr"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="wicked_scr.scr"

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
......

cPanel.net Support Ticket Number:

[ciphervendor]

You can easily do this with a correctly setup email filter in exim. Simply edit your filter file /etc/vfilters/your-domain.com and insert the following rules:

Code:

# Exim filter

if error_message then finish endif

if $header_subject: contains "Re: Your Application"
    or $header_subject: contains "Re: My Details"
    or $header_subject: contains "Re: Details"
    or $header_subject: contains "Your Details"
    or $header_subject: contains "Re: That movie"
    or $header_subject: contains "Re: Wicked screensaver"
    or $header_subject: contains "Re: Details"
    or $header_subject: contains "Re: Thank you!"
    or $header_subject: contains "Thank you!"
    or $header_subject: contains "Re: Approved"
    then
        save /dev/null
endif

Some people who are more anal retentive will s/contains/is .

[hostultra]

Originally posted by ciphervendor
Looks like you're trying to block sobig.f. You can easily do this with a correctly setup email filter in exim. Simply edit your filter file /etc/vfilters/your-domain.com and insert the following rules:

Code:

# Exim filter

if error_message then finish endif

if $header_subject: contains "Re: Your Application"
    or $header_subject: contains "Re: My Details"
    or $header_subject: contains "Re: Details"
    or $header_subject: contains "Your Details"
    or $header_subject: contains "Re: That movie"
    or $header_subject: contains "Re: Wicked screensaver"
    or $header_subject: contains "Re: Details"
    or $header_subject: contains "Re: Thank you!"
    or $header_subject: contains "Thank you!"
    or $header_subject: contains "Re: Approved"
    then
        save /dev/null
endif

Some people who are more anal retentive will s/contains/is .

cPanel.net Support Ticket Number:

Actually im not trying to block the virus itself.
Im trying to block the returned (bounced) viruses.

The sobig virus fakes the sender email address so i am getting bounces for an email that I never sent.

The bounce messages does not contain the virus so its not blocked by virus filters but still fills up my inbox with loads of 100KB bounced messages.

This is like what happens when a spammer uses your email address as the reply address for his spams.

EDIT:
After looking at /etc/vfilters/domain.com i see the problem:

if error_message then finish endif

I commented out that line so it should work now.

[ciphervendor]

Why don't you just then filter for senders and send all messages from admin@ mailer-daemon@ postmaster@ , etc. to the bit bucket (/dev/null)?

cPanel.net Support Ticket Number: