Here's a plugin to kill sobig:
sub register {
my ($self, $qp) = @_;
$self->register_hook("data_post", "check_sobig");
}
# Sobig always has the same MIME boundary:
# Content-Type: multipart/mixed;
# boundary="CSmtpMsgPart123X456_000_0062CA95"
sub check_sobig {
my ($self, $transaction) = @_;
return (DENY, "Sobig Virus Detected")
if $transaction->header->get('Content-Type')
=~ /boundary="CSmtpMsgPart123X456/;
return (DECLINED);
}
