Re: [Exim] Generic VBS script detection

Top Page

Reply to this message
Author: Alan Thew
To: Jeffrey Goldberg
CC: Nigel Metheringham, Exim
Subject: Re: [Exim] Generic VBS script detection
On Fri, 5 May 2000 13:30 , Jeffrey Goldberg <J.Goldberg@???> said:

>On Fri, 5 May 2000, Nigel Metheringham wrote:
>> Its been suggest to me that we try and restrict this filter to stuff
>> that has a chance of matching...
>>    if $h_content-type: contains multipart/mixed

what about

Content-Type: application/octet-stream; name="LOVE-L~1.VBS"

>You might also wish to check for $message_size. I have assumed that
>anything nasty will take some space.
>Also, I have not been checking uuencode stuff at all, and have been sloppy
>with the RE in that I don't really care if a quoted filename has a
>trailing quote or not, so what I am currently running is
># Exim filter
>logfile /var/spool/exim/log/filter_log
>if (first_delivery and not error_message and $message_size is above 6k)
> if ($h_subject: IS ILOVEYOU) then
>           freeze  text "Suspected ILOVEYOU virus"
> elif
>     $message_body matches
>        "\\\\b(?:file)?name=(\"[^\"]+|\\\\S+)\\\\.txt\\\\.vb[se]\\\\b" then
>           freeze text "May contain surrupticious VBscript attachment"
> elif
>     $message_body matches
>        "\\\\b(?:file)?name=(\"[^\"]+|\S+)\\\\.vb[se]\\\\b" then
>           freeze text "May contain VBScript attachment"
> endif

>The obvious cost of the if ... elif ... elif ... endif stuff in the middle
>that three conditions are checked for every message that is ok but meets
>the outer condition. I don't know the pcre/exim internals to know whether
>the first check causes a "study" of the text.
>I have tried to set this so that the least expensive conditions are done
>first. I will add the header content type condition to the outer
>The problem is that I may wish to freeze on some of these and fail on
>A point should be made about a much earlier query about "best" filter.
>If you are a small site or a site with staff who will deal with frozen
>messages in a reasonable time, then you may wish to freeze messages be
>willing to accept some false positives.
>If you are a large site, you may wish to fail messages, in which case
>false positives are a different concern.
>Finally, your acceptence of false positives and false negatives depends on
>the portion of Outlook and other vulnerable users you have.
>So the question of the "best" filter is highly site dependent.
>Jeffrey Goldberg                +44 (0)1234 750 111 x 2826
> Cranfield Computer Centre      FAX         751 814
> J.Goldberg@???
>Relativism is the triumph of authority over truth, convention over justice.

>## List details at Exim details at ##

Received: from ([]
    by with esmtp (Exim 3.13 #1)
    id 12nk8o-00047G-00
    for exim-users@???; Fri, 05 May 2000 16:35:46 +0100
Received: from ( [])
    by (8.9.3/8.9.3) with SMTP id QAA26756
    for <exim-users@???>; Fri, 5 May 2000 16:34:26 +0100 (BST)
From: sys044@???
Date: Fri, 5 May 2000 16:34:26 +0100
Message-Id: <S200005051534.QAA26790@???>
To: exim-users@???
Subject: [Exim] LMTP
Sender: exim-users-admin@???
Errors-To: exim-users-admin@???
X-BeenThere: exim-users@???
X-Mailman-Version: 2.0beta2
Precedence: bulk
List-Id: A user list for the exim MTA <>

I think I remember some reference to LMTP being available in EXIM for
delivering mail, instead of SMTP, for local mail servers. However on
searching for information I cannot find anything.

Is it supported? How is it used? Which port does it use? Where is the
documentation (page number).

John Linn (j.linn@???)