Need a SpamAssassin rule for sober.p worm

I am running procmail with Spam Assassin 2.63 on a FreeBSD server.  I am new to spam assassin and have some difficulty understanding the syntax.  Does anyone have a rule written to filter out the bombardment of mail with the sober.p virus attached?  
The subject lines include:
Re: mailing error
Re: Registration Confirmation
Re: Your email was blocked
Re: Your Password

I also see that although spam assassin may mark many of these messages as spam, it still lets them through to the user.  Is there a way that they can be bounced or deleted immediately?
 
Please help, when our mailboxes fill up it shuts down our ecommerce shared webserver at Verio!
sfghadminAsked:
Who is Participating?
 
jlevieCommented:
You'd be better served by installing an Anti-Virus scanner on your system and integrating it into your mail system. I think you can build ClamAV (http://www.clamav.net/) on FreeBSD and setting the system up to use MailScanner (http://www.mailscanner.info) would integrate the A/V and SpamAssassin checks on the mail stream.

FYI: I've seen more subject lines than that...
0
 
thehermitCommented:
ClamAV with Mailscanner strips the attachment, but still delivers the message.  To block the message, use the spamassassin rule bogus-virus-warnings.cf from http://www.timj.co.uk/linux/bogus-virus-warnings.cf

Otherwise, you can make your own rules as described at http://mywebpages.comcast.net/mkettler/sa/SA-rules-howto.txt based on the virus description at http://www.sarc.com/avcenter/venc/data/w32.sober.o@mm.html

I'm working on rules to block this as well.  Anybody got an SA ruleset specific to Sober that they want to share?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.