Re: [Exim] I LOVE YOU - Virus-Filter?

Página Principal
Esta mensagem é parte da seguinte discussão:
Ma lista completa das discussões ordenadas por data
MDr Yann Golanski em <-
MM++\Andromeda em ->
Apagar esta mensagem
Responder a esta mensagem
Autor: Richard Leyton
Data:  
Para: Jeffrey Goldberg
CC: Georg v. Zezschwitz, exim-users
Assunto: Re: [Exim] I LOVE YOU - Virus-Filter?
Hi all,

F-Secure have a good description: http://www.fsecure.com/v-descs/love.htm

Here's the one i've dropped in for this incident, and another recent
virus which resulted in 'Check this' e-mails zooming about: 

# Exim filter
if $h_subject begins "Check this"  and not error_message
then
        fail text "you appear to have a virus on your PC. Check your
system."
endif


if $h_subject begins "ILOVEYOU" and not error_message
then
        fail text "you appear to have a virus on your PC (see
http://www.fsecure.com/v-descs/love.htm). Check your system, or rephrase
the subject"
endif


with, of course, the following configuration entry:

###
# System filter
###
message_filter = /usr/exim/filters/central-filter

Nasty little beast this. Looking at the logs, we've stopped distribution
of this virus by two individuals already...

Well worth doing, as it sounds like this virus is tearing it's way
around the internet at the moment.

Regards,

Richard.



On Thu, May 04, 2000 at 01:01:44PM +0100, Jeffrey Goldberg wrote:
> On Thu, 4 May 2000, Georg v. Zezschwitz wrote:
>
> > as I've nether worked with Exim Mailfilters so far, as anybody
> > a line of filter code ready to drop the "I LOVE YOU"-virus?
>
> This is my first system filter, and I did have trouble with a more
> complex condition so settled on
>
> ====================================
> # Exim filter
> 
> #if ($message_body CONTAINS "LOVE-LETTER-FOR-YOU.TXT.vbs" and
> #    $message_body_size is above 5k) then
> #   freeze
> #endif

> 
> if ($h_subject: IS ILOVEYOU) then
>            freeze  text "Suspected ILOVEYOU virus"
> endif                                                
> ====================================

>
> But we are a relatively small site so can deal with false positives.
>
> If others produce better filters, please post.
>
> -j
> 
> -- 
> Jeffrey Goldberg                +44 (0)1234 750 111 x 2826
>  Cranfield Computer Centre      FAX         751 814
>  J.Goldberg@???     http://WWW.Cranfield.ac.uk/public/cc/cc047/
> Relativism is the triumph of authority over truth, convention over justice.

>
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## 

--
Richard Leyton           | http://www.beenz.com - The web's currency.
mailto:richard@beenz.com | Public (OpenPGP) Key #C603EEB7 
Tel: +44 (0)207 886 0732 |

Esta mensagem foi colocada nas seguintes mailing lists:
Exim-users
Informação da Mailing List | Mensagens Perto		<-Re: [Exim] Virus-Filter?Re: [Exim] I LOVE YOU - Virus-Filter?->
Tahini and Hummus and Cumin Development Archives administrado por cumin AdminsLurker (versão 2.3)