Re: [Exim] I LOVE YOU - Virus-Filter?

Pàgina inicial
Delete this message
Reply to this message
Autor: Richard Leyton
Data:  
A: Dirk Koopman
CC: Andromeda, Exim
Assumptes nous: [Exim] Filtering
Assumpte: Re: [Exim] I LOVE YOU - Virus-Filter?
On Thu, May 04, 2000 at 01:24:31PM +0100, Dirk Koopman wrote:
> On 04-May-2000 Andromeda wrote:
> >if ($message_body CONTAINS "LOVE-LETTER-FOR-YOU.TXT.vbs" and
> >    $message_body_size is above 5k) then
> >   freeze
> >endif

>
> if ($message_body CONTAINS ".vbs")
>    freeze
> endif

>
> I would have thought the above was a pretty good standard to have these days.
> Does anyone send uncompressed vbs files about legitamately? What about adding
> other executable suffixes to the list? Any suggestions?


agreed entirely in principle, however this e-mail would be rejected with
that filter, which isn't good. so i've just dropped this (modified
version) in:

if ($message_body matches "name=\".*.vbs\"")
then
        logfile /var/log/exim/exim_filterlog
        logwrite "$tod_log $message_id \
        $sender_address ($sender_host_name[$sender_host_address]) \
        => $recipients (recipients=$recipients_count) \
        subject=$header_subject"       


        fail text "your e-mail appears to contain a visual basic script.
\nthese are a major source of viruses, and your e-mail has been
rejected.\nContact the recipient directly to discuss how to deliver the
script if necessary,\nor the beenz postmaster if your mail has been
incorrectly rejected (postmaster@???).\n"
endif


the MIME attachments are therefore picked up, whereby the raw e-mail
looks something like this:

Content-Type: application/x-msexcel;
        name="someickyscript.vbs"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="someickyscript.vbs"


anybody got any non-mime attachment suggestions? does outlook execute
only vbs or other types of attachments? we had a brief debate about .exe
files too, but, well, that might be more problematic and troublesome.

we can see no reason to have visual basic scripts being
sent around, especially with two major virus epidemics based on
the horrors of micro$oft outlook...

great to see the exim list being used to such good effect to tackle this
problem within hours of it becoming a problem. Take a look at this:

http://news.bbc.co.uk/hi/english/uk/newsid_736000/736080.stm

regards,

richard,

--
Richard Leyton           | http://www.beenz.com - The web's currency.
mailto:richard@beenz.com | Public (OpenPGP) Key #C603EEB7 
Tel: +44 (0)207 886 0732 |