Re: [EXIM] A filter for Malissa?

Top Page
Delete this message
Reply to this message
Author: Nigel Metheringham
Date:  
To: Jeffrey Goldberg
CC: exim-users
Subject: Re: [EXIM] A filter for Malissa?

J.Goldberg@??? said:
> Regarding a new Word macro virus W97M.Malissa, which has the effect of
> sending chain mail


[...]

> does anyone have an Exim global filter for this?


Its very easy to do one - something like

    if $h_subject begins "Important Message From "
    then
        fail "Message probably contains Melissa-Macro-Virus - see 
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html for 
details"
    endif


in the system filter file. However this is likely to be subject to
false positives - I am sure a couple of messages I received in the last
year from the less computer literate management (or rather their
secretaries) would have triggered this. If the virus is widespread
then the false positives are worth it, if not then I would be tempted
to maybe add a rule like this to log a comment and see what the
prevelance is - or if you log subject you could quickly grep your logs
to see if it will hit.

Incidently I did a similar filter for the Happy99.exe worm - same sort
of length and config, but it had the advantage that Happy99 puts a
particular header into a message so detecting it gets rather fewer
false positives. You should be able to work out whats needed from the
anti-virus products web sites, but if you want me to provide the recipe
then contact me and I'll look it it out.

    Nigel.
-- 
[ Nigel Metheringham                  Nigel.Metheringham@??? ]
[ Phone: +44 1423 850000                         Fax +44 1423 858866 ]




--
*** Exim information can be found at http://www.exim.org/ ***