Here are the two different rules that I've used (with
acknowledgements to Marius Gaudin):
1. To simply DELETE any message with a .vbs attachment, this is
the rule that I used (until Sunday afternoon):
B~filename=".*\.vbs":NUL
2. But then I got curious about how many .vbs files I was catching,
so I switched to this procedure: to FORWARD any message with a
.vbs attachment to a mailbox named VIRUS in an email account named
TRAPPED, this is the rule that I'm using (since Sunday afternoon):
B~filename=".*\.vbs":virus
Before creating the rule in #2, I created a text file (in \IMail)
with ONLY this line (cr/lf at end):
[EMAIL PROTECTED]
(substituting YOUR domain name, of course). I saved the file as
VIRUS.FWD, and copied it to the "root" of every user's directory
EXCEPT for the TRAPPED directory (acknowledgements to Kirk
Mitchell).
To see what I've "caught" in the TRAPPED account, I log in as
TRAPPED and check the VIRUS folder. Voila! The live I-LOVE-YOU
.vbs virus that I sent (from one of my non-IMail mail servers) to
three different users' accounts are all safely tucked away in the
VIRUS mailbox of the TRAPPED account... and a check of the three
users' accounts shows that NOTHING went to their accounts. The
other .vbs traffic is also safely nestled in TRAPPED's VIRUS
mailbox.
Both #1 and #2 work like a charm on my system... and are catching
virus laden messages as we "speak" (though I'm only using #2 at this
point). I've deleted all other rules related to text content in the
I-LOVE-YOU strain (hyphens intentionally inserted).
My rules.ima file is in \IMail
Gordon
-----
Dan Spangenberg wrote:
>
> Here is the rule I am using:
>
> B~filename=".*\.vbs:virusbox
>
> I am not using virtuals domains either, and this rule only works for me from
> within my domain. Anything sent from outside with a *.vbs file gets through
> without being caught.
>
> I am fairly new to rules, so I wonder if I have it right?
>
> Other entries in the same rules.ima are working fine, so I know I have it in
> the right place etc.
>
> Thanks
> Dan
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Gordon Williams
> Sent: Monday, May 08, 2000 11:31 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [IMail Forum] filtering for .vbs attachments
>
> The rule works for me, but I'm not using virtual domains. Any
> message with .vbs attachment sent from an outside domain is properly
> deleted or forwarded to a VIRUS mailbox, depending on how I write
> the rule.
>
> Gordon
>
> -----
> "Gaudin Marius (Softec)" wrote:
> >
> > Mark,
> >
> > When I tried this, it worked on local deliveries only. The remotely
> > delivered mails (e.g. to aliases which point to addresses on a different
> > server) were not discarded.
> >
> > >From your mail, I can't see if the rule was running on the same server as
> > the mailbox of [EMAIL PROTECTED] was located.
> >
> > I wonder if anybody else has made experiences (good or bad) with this kind
> > of filter?
> >
> > Marius
> > -----Urspr�ngliche Nachricht-----
> > Von: Mark [mailto:[EMAIL PROTECTED]]
> > Gesendet: Montag, 8. Mai 2000 18:02
> > An: [EMAIL PROTECTED]
> > Betreff: RE: [IMail Forum] filtering for .vbs attachments
> >
> > At 03:29 PM 5/5/2000 +0200, you wrote:
> > >As variants of other .vbs viruses are turning up, I use a filter like
> > >
> > >B~filename=".*\.vbs":NUL
> > >
> > >to remove all messages containing attachments with any filename ending
> > >in .vbs.
> >
> > I tested this and it didn't work. My rules.ima file had this exact
> > line. I sent a test copy of a vbs and it went into the main.mbx just as a
> > regular email would. Any ideas?
> >
> > I sent the test email locally. [EMAIL PROTECTED] to
> > [EMAIL PROTECTED] Both domains are hosted by IMail.
> >
> > Cheers
> > mark
> > Please visit http://www.ipswitch.com/support/mailing-lists.html
> > to be removed from this list.
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
