Here's a plugin to kill sobig: sub register { my ($self, $qp) = @_; $self->register_hook("data_post", "check_sobig"); }
# Sobig always has the same MIME boundary: # Content-Type: multipart/mixed; # boundary="CSmtpMsgPart123X456_000_0062CA95" sub check_sobig { my ($self, $transaction) = @_; return (DENY, "Sobig Virus Detected") if $transaction->header->get('Content-Type') =~ /boundary="CSmtpMsgPart123X456/; return (DECLINED); }