From owner-freebsd-isp@FreeBSD.ORG  Fri Aug 22 06:42:50 2003
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EAF2F16A4BF
	for <freebsd-isp@freebsd.org>; Fri, 22 Aug 2003 06:42:50 -0700 (PDT)
Received: from satin.sensation.net.au
	(c210-49-158-113.brodm1.vic.optusnet.com.au [210.49.158.113])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1B3F743FEA
	for <freebsd-isp@freebsd.org>; Fri, 22 Aug 2003 06:42:49 -0700 (PDT)
	(envelope-from rowan@sensation.net.au)
Received: from satin.sensation.net.au (localhost [127.0.0.1])
	by satin.sensation.net.au (8.12.8/8.12.6) with ESMTP id h7MDgkoq027292
	for <freebsd-isp@freebsd.org>; Fri, 22 Aug 2003 23:42:46 +1000 (EST)
	(envelope-from rowan@sensation.net.au)
Received: from localhost (rowan@localhost)h7MDgkg8027289
	for <freebsd-isp@freebsd.org>; Fri, 22 Aug 2003 23:42:46 +1000 (EST)
X-Authentication-Warning: satin.sensation.net.au: rowan owned process doing
	-bs
Date: Fri, 22 Aug 2003 23:42:45 +1000 (EST)
From: Rowan Crowe <rowan@sensation.net.au>
To: freebsd-isp@freebsd.org
In-Reply-To: <200308221336.h7MDatYu059699@energistic.com>
Message-ID: <Pine.BSF.4.21.0308222339290.27198-100000@satin.sensation.net.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: Sendmail and GoBig
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Aug 2003 13:42:51 -0000

On Fri, 22 Aug 2003, Steve Ames wrote:

> 
> Anyone got a quick sendmail ruleset to block the GoBig worm? A couple
> of machines I help admin got beat pretty hard yesterday...

Steve,

You're in luck. I was just testing this literally 2 minutes ago. Try this:


##
## Common Virus Subjects
##
HSubject:                               $>Check_Subject
D{VMsg}"Message blocked due to subject line - if this was sent by a human\, please change the subject and resend."

SCheck_Subject
RRe : Approved                          $#error $: 550 5.7.0 ${VMsg}
RRe : Details                           $#error $: 550 5.7.0 ${VMsg}
RRe : Re : My details                   $#error $: 550 5.7.0 ${VMsg}
RRe : Thank you !                       $#error $: 550 5.7.0 ${VMsg}
RRe : That movie                        $#error $: 550 5.7.0 ${VMsg}
RRe : Wicked screensaver                $#error $: 550 5.7.0 ${VMsg}
RRe : Your application                  $#error $: 550 5.7.0 ${VMsg}
RThank you !                            $#error $: 550 5.7.0 ${VMsg}
RYour details                           $#error $: 550 5.7.0 ${VMsg}

Note that you will need to convert the large areas of space to tabs for
sendmail to recognise it.

Disclaimer - not 100% tested yet, but so far it's correctly accepted and
rejected the subject lines I've thrown at it, and it's already eaten up a
couple of real world sobig emails.

Cheers.


--
Rowan Crowe - Melbourne, Australia