Re: [Exim] I LOVE YOU - Virus-Filter?

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MMarilyn Davis at <-
MMarilyn Davis at ->
Delete this message
Reply to this message
Author: Carl Horne
Date:  
To: derrick, Nigel.Metheringham
CC: exim-users
Subject: Re: [Exim] I LOVE YOU - Virus-Filter?
I have tried to get this code to work. My problem is I am filling in
for the person that would normally do these things and I do not have the
skill set he has.

I get a message something like "unexpect end of file" when I run the
code outside the config. When I tried putting it in the configure file
I got a message about the "message_filter =
/etc/exim/system_filter.exim" line.

Can someone give more detailed instruction on how to implement this
fitler. Where in the configure file should I put the code? do I just
run an "exim restart" to implement the code?

I realize these are newbie questions and I apologize in advance

>>> Nigel Metheringham <Nigel.Metheringham@???> 05/04/00
10:38AM >>>

derrick@??? said:
> What seems to be the 'final verdict', or best guess to deal with
this?

My approach has been to throw in a subject based filter for now.
However I think that within days some script kids will do a warmed over

version with new subjects or more cleverly with changing subjects (ie
just pinch them out of messages in the in/outbox) and we'll have an
even more interesting problem, so as soon as the VBS filter discussion

settles I am going to take that and use it. 

Current filter, as stolen from earlier messages is:-
      # exim filter
      # -----------
      # Put this in your system filter - say
      # /etc/exim/system_file.exim
      #
      if $h_subject begins "ILOVEYOU" and not error_message
      then
          fail text "you appear to have a virus on 
              your PC (see http://www.fsecure.com/v-descs/love.htm).\n


              Check your system, or rephrase the subject"
      endif


You need to call this filter from your config file, so add 

      message_filter = /etc/exim/system_filter.exim


Just to give you a giggle, one site that the exim list delivers to has

been bouncing mail this afternoon:- 

    From: postmaster@??? 
    Subject: Network Associates Webshield -  e-mail Content Alert


    Network Associates WebShield SMTP V4.5 on eximc-3 intercepted a
mail
    from <exim-users-admin@???> which caused the Content Filter
    Block ILOVEYOU virus to be triggered.


I think that false positives a little... 

    Nigel.
-- 
[ - Opinions expressed are personal and may not be shared by VData - ]
[ Nigel Metheringham                  Nigel.Metheringham@??? ]
[ Phone: +44 1423 850000                         Fax +44 1423 858866 ]




--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
details at http://www.exim.org/ ##


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] More on ILOVEYOURe: [Exim] Generic VBS script detection->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)