A handy tip:
Pete Krawczyk <petek at mc.net> has noticed a very interesting property of all mail sent by the SirCam worm:
The SMTP headers of a message usually include a line that begins:
However, SirCam mail has a lower-case "date:" header. One copy I received, for example, says:
date: Tue, 24 Jul 2001 00:40:16 -0400
Krawczyk says that this appears to be unique among SMTP clients.
You can therefore configure your SMTP server to reject all messages with a header line matching /^date:/ and you'll save not only lost files but lots of bandwidth.
God, I love it when a criminal makes a mistake...
SOURCE: the SecurityFocus incidents list