Re: [Exim] I LOVE YOU - Virus-Filter?

Top Page
Delete this message
Reply to this message
Author: Nigel Metheringham
Date:  
To: Derrick MacPherson
CC: Exim Users List
Subject: Re: [Exim] I LOVE YOU - Virus-Filter?
derrick@??? said:
> What seems to be the 'final verdict', or best guess to deal with this?


My approach has been to throw in a subject based filter for now.
However I think that within days some script kids will do a warmed over
version with new subjects or more cleverly with changing subjects (ie
just pinch them out of messages in the in/outbox) and we'll have an
even more interesting problem, so as soon as the VBS filter discussion
settles I am going to take that and use it.

Current filter, as stolen from earlier messages is:-
      # exim filter
      # -----------
      # Put this in your system filter - say
      # /etc/exim/system_file.exim
      #
      if $h_subject begins "ILOVEYOU" and not error_message
      then
          fail text "you appear to have a virus on 
              your PC (see http://www.fsecure.com/v-descs/love.htm).\n
              Check your system, or rephrase the subject"
      endif


You need to call this filter from your config file, so add

      message_filter = /etc/exim/system_filter.exim 


Just to give you a giggle, one site that the exim list delivers to has
been bouncing mail this afternoon:-

    From: postmaster@???
    Subject: Network Associates Webshield -  e-mail Content Alert


    Network Associates WebShield SMTP V4.5 on eximc-3 intercepted a mail
    from <exim-users-admin@???> which caused the Content Filter
    Block ILOVEYOU virus to be triggered.


I think that false positives a little...

    Nigel.
-- 
[ - Opinions expressed are personal and may not be shared by VData - ]
[ Nigel Metheringham                  Nigel.Metheringham@??? ]
[ Phone: +44 1423 850000                         Fax +44 1423 858866 ]