A handy tip:

Pete Krawczyk <petek at mc.net> has noticed a very interesting property of all mail sent by the SirCam worm:

The SMTP headers of a message usually include a line that begins:


However, SirCam mail has a lower-case "date:" header. One copy I received, for example, says:

date: Tue, 24 Jul 2001 00:40:16 -0400

Krawczyk says that this appears to be unique among SMTP clients.

You can therefore configure your SMTP server to reject all messages with a header line matching /^date:/ and you'll save not only lost files but lots of bandwidth.

God, I love it when a criminal makes a mistake...

SOURCE: the SecurityFocus incidents list