Netfilter is not an application layer Firewall. Try something like sendmail/Mailscanner and pick up clamav. I was blocking before I even knew about the virus! Ray Leach wrote: On Thu, 2004-01-29 at 20:06, Eliot, GLI wireless tech support wrote: Has anyone come up with a ruleset for classifying a random TCP or specific SMTP connection as being the W32/MyDoom.A virus? <<snip>> Anyone have any ideas how to do this without too many false positives? (IE a document on the web that describes the characteristics of MyDoom.A). Since it spreads via SMTP from clients and not servers, why not just block all smtp traffic outbound to the internet from your client machines, and only allow your mail server to send smtp mail? Of course you would need a decent anti-virus program on the mail server. The other way you could possibly do this is by using a string match to look inside any smtp packets for matches of the attachment names(?).
