Re: [Exim] Generic VBS script detection - filter attached

Top Page
Delete this message
Reply to this message
Author: robert rotman
Date:  
To: Nigel Metheringham
CC: Exim
Subject: Re: [Exim] Generic VBS script detection - filter attached

hi,

why did the ILOVEYOU virus passed through?

i sent a mail with the header:

--985893548-832319850-957462939=:25793
Content-Type: TEXT/PLAIN; charset=US-ASCII;
name="LOVE-LETTER-FOR-YOU.TXT.vbs"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.3.96.1000504195539.25793B@???>
Content-Description:

-> here follows the uuencoded vb-script


why does it not match TEXT/PLAIN?


robert



On Fri, 5 May 2000, Nigel Metheringham wrote:

> I reverted to the original form for various reasons, some of which
> probably would not hold up past a rewritten version message_body that
> is more efficient :-)
>
> The filter is attached.
> Its also at:-
>     ftp://ftp.exim.org/pub/filter/system_filter.exim

>
> so you can avoid the mangling that mailers are bound to apply :-)
>
> Seems to work on current tests, no guarantees. It does catch the forms
> I saw yesterday.
>
> It did show up some interesting things about exim's parsing - looks
> like () have to be within quotes or the parser falls over.
>
>     Nigel.

>
>


---
di. robert rotman                                   inode.graz
phone -> ++43-(0)316 813141       ++43-(0)316 818600/15 <- fax
rotman@???                      http://www.graz.inode.at/
--
this letter was written on recycled bytes used by deleted mail.