HOW TO: Dropping mass mailers - Cisco Community

2221

Views

0

Helpful

2

Replies

You need top do this in the policy configuration (policyconfig --> Incoming or Outgoing--> filters) or you can do it in the GUI (Mail Policies --> Incoming/Outgoing Content Filters) since the X-IronPort-AV doesn't get added until the virus checker runs. Remember to add the policy for all listeners.

Conditions:
header("X-IronPort-AV") ==
"(?i)almat|annil|atak|baba|bagle|bagz|bagz|bancban|banker|beaker|bigag|bkfraud|bobax|bofra|bugbear|bugbear|cissi|conycsp|c
rowt|dalixy|darby|delf|favsin|fightrub|graber|keylog|kipis|ldpinch|lydra|maslan|mimail|mydoom|netsky|pikis|plexeus|proba|p
rorat|pwslimir|rbot|salga|sharp|sobig|spabot|spyvb|stawin|text|torun|umbriel|vipgsm|wurmark|yaha|yanz|ybad|zafi|zonit|zoom
en"

Actions:
drop()

Description:
Drop mass mailers from the system

As new mass mailers get added, you can to the list.

It would also be nice if mass mailers were auto identified and you could take action on it in the mail policies like you do for repaired, encrypted, unscannable and virus infected messages.

2 Replies 2

I'm doing the same thing

header("X-IronPort-AV") == "v=\"W32/(Sober|Love?gate|Netsky|Bagle|Bugbear|Mytob|Gibe|MyDoom|Zafi|Bagz|Parite|Mabutu|Kipis|Nyxem|Yaha|Flcss|Sircam|Klez|Chir|Fizzer|Dumaru|Sobig)"

And the end-users love it. But it's a pain to update manually as new viruses hit the network. Anything to automate this would be great.

We have 12 IronPorts, so automation would be a wonderful thing.

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community