Re: [Exim] Generic VBS script detection

Top Page

Reply to this message
Author: Alan Thew
Date:  
To: Jeffrey Goldberg
CC: Nigel Metheringham, Exim
Subject: Re: [Exim] Generic VBS script detection
On Fri, 5 May 2000 13:30 , Jeffrey Goldberg <J.Goldberg@???> said:

>On Fri, 5 May 2000, Nigel Metheringham wrote:
>
>> Its been suggest to me that we try and restrict this filter to stuff
>> that has a chance of matching...
>
>>    if $h_content-type: contains multipart/mixed


what about

Content-Type: application/octet-stream; name="LOVE-L~1.VBS"

??
>
>You might also wish to check for $message_size. I have assumed that
>anything nasty will take some space.
>
>Also, I have not been checking uuencode stuff at all, and have been sloppy
>with the RE in that I don't really care if a quoted filename has a
>trailing quote or not, so what I am currently running is
>
>===================================
># Exim filter
>
>logfile /var/spool/exim/log/filter_log
>
>if (first_delivery and not error_message and $message_size is above 6k)
>then
> if ($h_subject: IS ILOVEYOU) then
>           freeze  text "Suspected ILOVEYOU virus"
> elif
>     $message_body matches
>        "\\\\b(?:file)?name=(\"[^\"]+|\\\\S+)\\\\.txt\\\\.vb[se]\\\\b" then
>           freeze text "May contain surrupticious VBscript attachment"
> elif
>     $message_body matches
>        "\\\\b(?:file)?name=(\"[^\"]+|\S+)\\\\.vb[se]\\\\b" then
>           freeze text "May contain VBScript attachment"
> endif
>endif  
>===================================

>
>The obvious cost of the if ... elif ... elif ... endif stuff in the middle
>that three conditions are checked for every message that is ok but meets
>the outer condition. I don't know the pcre/exim internals to know whether
>the first check causes a "study" of the text.
>
>I have tried to set this so that the least expensive conditions are done
>first. I will add the header content type condition to the outer
>condition.
>
>The problem is that I may wish to freeze on some of these and fail on
>others.
>
>A point should be made about a much earlier query about "best" filter.
>
>If you are a small site or a site with staff who will deal with frozen
>messages in a reasonable time, then you may wish to freeze messages be
>willing to accept some false positives.
>
>If you are a large site, you may wish to fail messages, in which case
>false positives are a different concern.
>
>Finally, your acceptence of false positives and false negatives depends on
>the portion of Outlook and other vulnerable users you have.
>
>So the question of the "best" filter is highly site dependent.
>
>-j
>
>-- 
>Jeffrey Goldberg                +44 (0)1234 750 111 x 2826
> Cranfield Computer Centre      FAX         751 814
> J.Goldberg@???     http://WWW.Cranfield.ac.uk/public/cc/cc047/
>Relativism is the triumph of authority over truth, convention over justice.

>
>
>--
>## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>





Received: from mailhub2.abdn.ac.uk ([139.133.7.24] helo=abdn.ac.uk)
    by exim-colo-01.whoc.theplanet.co.uk with esmtp (Exim 3.13 #1)
    id 12nk8o-00047G-00
    for exim-users@???; Fri, 05 May 2000 16:35:46 +0100
Received: from aucc.cc.abdn.ac.uk (aucc.cc.abdn.ac.uk [139.133.216.221])
    by abdn.ac.uk (8.9.3/8.9.3) with SMTP id QAA26756
    for <exim-users@???>; Fri, 5 May 2000 16:34:26 +0100 (BST)
From: sys044@???
Date: Fri, 5 May 2000 16:34:26 +0100
Message-Id: <S200005051534.QAA26790@???>
To: exim-users@???
Subject: [Exim] LMTP
Sender: exim-users-admin@???
Errors-To: exim-users-admin@???
X-BeenThere: exim-users@???
X-Mailman-Version: 2.0beta2
Precedence: bulk
List-Id: A user list for the exim MTA <exim-users.exim.org>


I think I remember some reference to LMTP being available in EXIM for
delivering mail, instead of SMTP, for local mail servers. However on
searching for information I cannot find anything.

Is it supported? How is it used? Which port does it use? Where is the
documentation (page number).

John Linn (j.linn@???)