Need a SpamAssassin rule for sober.p worm

I am running procmail with Spam Assassin 2.63 on a FreeBSD server.  I am new to spam assassin and have some difficulty understanding the syntax.  Does anyone have a rule written to filter out the bombardment of mail with the sober.p virus attached?  
The subject lines include:
Re: mailing error
Re: Registration Confirmation
Re: Your email was blocked
Re: Your Password

I also see that although spam assassin may mark many of these messages as spam, it still lets them through to the user.  Is there a way that they can be bounced or deleted immediately?
Please help, when our mailboxes fill up it shuts down our ecommerce shared webserver at Verio!
Who is Participating?
You'd be better served by installing an Anti-Virus scanner on your system and integrating it into your mail system. I think you can build ClamAV ( on FreeBSD and setting the system up to use MailScanner ( would integrate the A/V and SpamAssassin checks on the mail stream.

FYI: I've seen more subject lines than that...
ClamAV with Mailscanner strips the attachment, but still delivers the message.  To block the message, use the spamassassin rule from

Otherwise, you can make your own rules as described at based on the virus description at

I'm working on rules to block this as well.  Anybody got an SA ruleset specific to Sober that they want to share?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.