Re: [Exim] Generic VBS script detection - filter attached

Top Page
Delete this message
Reply to this message
Author: Nigel Metheringham
Date:  
To: Exim
Old-Topics: Re: [Exim] Generic VBS script detection
Subject: Re: [Exim] Generic VBS script detection - filter attached
I reverted to the original form for various reasons, some of which
probably would not hold up past a rewritten version message_body that
is more efficient :-)

The filter is attached.
Its also at:-
    ftp://ftp.exim.org/pub/filter/system_filter.exim


so you can avoid the mangling that mailers are bound to apply :-)

Seems to work on current tests, no guarantees. It does catch the forms
I saw yesterday.

It did show up some interesting things about exim's parsing - looks
like () have to be within quotes or the parser falls over.

    Nigel.


# Exim filter

#
# Only run any of this stuff on the first pass through the
# filter - this is an optomisation for messages that get
# queued and have serveral delivery attempts
#
# we express this in reverse so we can just bail out
# on inappropriate messages
if error_message or not first_delivery
then
finish
endif


# Attempt to catch embedded VBS attachments
# in emails.   These were used as the basis for 
# the ILOVEYOU virus and its variants
#
if $message_body matches "(?:Content-(?:Type:\\\\s*application/octet-stream|Disposition:\\\\s*attachment);\\\\s*(?:file)?name=|begin\\\\s+[0-7]{3,4}\\\\s+)(\"[^\"]+\\\\.(?:vbs|vbe|wsh|js|jse|exe|com|bat)\"|[\\\\w.-]+\\\\.(?:vbs|vbe|wsh|js|jse|exe|com|bat))[\\\\s;]"
then
  fail text "This message has been rejected because it has\n\
         \tan apparently executable attachment $1\n\
         \tThis form of attachment has been used by\n\
             \trecent viruses such as that described in\n\
         \thttp://www.fsecure.com/v-descs/love.htm\n\
         \tIf you meant to send this file then please\n\
         \tpackage it up as a zip file and resend it."
  seen finish
endif

[ - Opinions expressed are personal and may not be shared by VData - ]
[ Nigel Metheringham                  Nigel.Metheringham@??? ]
[ Phone: +44 1423 850000                         Fax +44 1423 858866 ]