Necessary conditions for a message to carry the Sobig.F email virus are:
The size of the message exceeds 98,000 bytes.
It contains the following message header "X-MailScanner: Found to be clean".
The first 512 bytes of the message body contain the string "Please see the attached file for details" or "See the attached file for details".
Furthermore, the SMTP implementation of Sobig.F appears to use the WINS name of the host as argument for the HELO/EHLO command. The WINS does not contain a period ("."), and Sobig.F thus violates the SMTP protocol specification. However, if a mail relay is between the Sobig.F host and the recipient, the recipient only sees the HELO argument sent by the mail relay, so filters based only on HELO arguments are not completely effective, but they reduce the traffic caused by the virus significantly. Be sure, though, to accept mail with syntactically invalid HELO arguments from your own Windows machines.
Therefore the following Exim ACLs are proposed to filter Sobig.F mail traffic:
check_helo:
# Accept locally generated mail.
accept hosts = :
# Accept mail from our own constiuency (change this!).
accept hosts = 192.0.2.0/24
# Accept only arguments with a ".".
accept condition = ${if match{$sender_helo_name}{\\.}{yes}{no}}
drop message = syntactically invalid argument
check_data:
deny condition = \
${if match{$message_body} \
{(Please s|S)ee the attached file for details} \
{yes}{no}}
condition = ${if >{$message_size}{98000}{yes}{no}}
condition = \
${if eq{$header_X-MailScanner:}{Found to be clean} \
{yes}{no}}
message = "Sobig virus detected"
accept
These ACLs can be activated in the main section of the Exim configuration file using:
acl_smtp_data = check_data acl_smtp_helo = check_helo
Note that bounces triggered by the Sobig.F virus will still pass these filters. They might include a full and operational copy of the virus.
2003-08-21: published
2003-09-05: Use drop instead of deny in the HELO ACL to tear down the connection.