Re: [Exim] I LOVE YOU - Virus-Filter?

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MAndromeda at <-
MM++\Derrick MacPherson at ->
Delete this message
Reply to this message
Author: Chad Leigh, Pengar Enterprises, Inc. and Shire.Net LLC
Date:  
To: exim-users
Subject: Re: [Exim] I LOVE YOU - Virus-Filter?
Hi

Using exim 2.04 I set up the following. Works well for orginal messages
but if I bounce a message (ie resend it) it gets through. The SUBJECT
header is still "ILOVEYOU" on a resend/bounce. All the original headers
are there plus some "Resent-*" headers. I went and was reading through
the 2.0 docs and didn't see anything there to catch this?

Thanks
Chad


--On Thursday, May 4, 2000 1:09 PM +0100 Richard Leyton <richard@???>
wrote:

> Hi all,
>
> F-Secure have a good description: http://www.fsecure.com/v-descs/love.htm
>
> Here's the one i've dropped in for this incident, and another recent
> virus which resulted in 'Check this' e-mails zooming about:
>
> # Exim filter
> if $h_subject begins "Check this"  and not error_message
> then
>         fail text "you appear to have a virus on your PC. Check your
> system."
> endif

>
> if $h_subject begins "ILOVEYOU" and not error_message
> then
>         fail text "you appear to have a virus on your PC (see
> http://www.fsecure.com/v-descs/love.htm). Check your system, or rephrase
> the subject"
> endif

>
> with, of course, the following configuration entry:
>
> ###
> # System filter
> ###
> message_filter = /usr/exim/filters/central-filter
>
> Nasty little beast this. Looking at the logs, we've stopped distribution
> of this virus by two individuals already...
>
> Well worth doing, as it sounds like this virus is tearing it's way
> around the internet at the moment.
>
> Regards,
>
> Richard.
>
>
>
> On Thu, May 04, 2000 at 01:01:44PM +0100, Jeffrey Goldberg wrote:
>> On Thu, 4 May 2000, Georg v. Zezschwitz wrote:
>>
>> > as I've nether worked with Exim Mailfilters so far, as anybody
>> > a line of filter code ready to drop the "I LOVE YOU"-virus?
>>
>> This is my first system filter, and I did have trouble with a more
>> complex condition so settled on
>>
>> ====================================
>> # Exim filter
>>
>> #if ($message_body CONTAINS "LOVE-LETTER-FOR-YOU.TXT.vbs" and
>> #    $message_body_size is above 5k) then
>> #   freeze
>> #endif

>>
>> if ($h_subject: IS ILOVEYOU) then
>>            freeze  text "Suspected ILOVEYOU virus"
>> endif
>> ====================================

>>
>> But we are a relatively small site so can deal with false positives.
>>
>> If others produce better filters, please post.
>>
>> -j
>>
>> --
>> Jeffrey Goldberg                +44 (0)1234 750 111 x 2826
>>  Cranfield Computer Centre      FAX         751 814
>>  J.Goldberg@???
>>  http://WWW.Cranfield.ac.uk/public/cc/cc047/ Relativism is the triumph
>> of authority over truth, convention over justice.

>>
>>
>> --
>> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
>> details at http://www.exim.org/ ##
>
> --
> Richard Leyton           | http://www.beenz.com - The web's currency.
> mailto:richard@beenz.com | Public (OpenPGP) Key #C603EEB7
> Tel: +44 (0)207 886 0732 |
 



Pengar Enterprises, Inc. and Shire.Net LLC
Web and Macintosh Consulting -- full service web hosting
Chad Leigh    
chad@???            chad@???




This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] I LOVE YOU - Virus-Filter?Re: [Exim] More on --name of trojan deleted--->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)