[Exim] system filter failed to block a virus

Top Page
Delete this message
Reply to this message
Author: Dr. Douglas Gray Stephens
Date:  
To: Exim-users
Subject: [Exim] system filter failed to block a virus
Hi,

Some of my mail comes via a machine running exim 3.13, with the exim
system_filter.exim version 0.09, with the visible message body
increased to 5000 in exim.conf

Today I received the snow white virus, and do not understand why exim
failed to block it.

The message was sent to
postmaster@???
as the exim log shows
68399:2001-02-14 10:04:28 14T4Pq-00071m-00 <= <> H=mail.hypercon.com [198.64.246.144] P=esmtp S=32382
68400:2001-02-14 10:04:28 14T4Pq-00071m-00 => gray@??? <postmaster@???> R=lookuphost T=remote_smtp H=baja-clear.austin.apc.slb.com [163.185.74.6]
68401:2001-02-14 10:04:29 14T4Pq-00071m-00 => osgroup@??? <postmaster@???> R=lookuphost T=remote_smtp H=asgaard.wan.cwomnes.net [192.23.66.14]
68402:2001-02-14 10:04:29 14T4Pq-00071m-00 -> controllers@??? <postmaster@???> R=lookuphost T=remote_smtp H=asgaard.wan.cwomnes.net [192.23.66.14]
68403:2001-02-14 10:04:29 14T4Pq-00071m-00 -> sromero@??? <postmaster@???> R=lookuphost T=remote_smtp H=asgaard.wan.cwomnes.net [192.23.66.14]
68404:2001-02-14 10:04:29 14T4Pq-00071m-00 => grilli@??? <postmaster@???> R=lookuphost T=remote_smtp H=pop.houston.omnes.slb.com [163.185.18.224]
68405:2001-02-14 10:04:29 14T4Pq-00071m-00 -> jennings@??? <postmaster@???> R=lookuphost T=remote_smtp H=pop.houston.omnes.slb.com [163.185.18.224]
68406:2001-02-14 10:04:29 14T4Pq-00071m-00 => fetterley@??? <postmaster@???> R=lookuphost T=remote_smtp H=pop.houston.omnes.slb.com [163.185.18.224]
68407:2001-02-14 10:04:29 14T4Pq-00071m-00 Completed

I have modified the name of the file from
joke.exe
to
j o k e . e x e
to stop this message triggering virus alarms.

The message top of the message was
  Received: from baja-clear.austin.apc.slb.com (baja-clear.austin.apc.slb.com [163.185.74.6])
          by platinum1.cambridge.scr.slb.com (8.11.1/8.11.1/NC.V1.5) with ESMTP id f1EG4OU12148
          for <gray@???>; Wed, 14 Feb 2001 16:04:24 GMT
  Received: (from gray@localhost)
          by baja-clear.austin.apc.slb.com (8.9.3/8.9.3) id KAA20353
          for gray@???; Wed, 14 Feb 2001 10:04:28 -0600 (CST)
  Received: from mahler.houston.sinet.slb.com (mahler.houston.sinet.slb.com [163.185.18.230])
          by baja-clear.austin.apc.slb.com (8.9.3/8.9.3) with ESMTP id KAA20344
          for <gray@???>; Wed, 14 Feb 2001 10:04:27 -0600 (CST)
  Received: from mail.hypercon.com ([198.64.246.144])
          by mahler.houston.sinet.slb.com with esmtp (Exim 3.13 #1)
          id 14T4Pq-00071m-00
          for postmaster@???; Wed, 14 Feb 2001 10:04:26 -0600
  Received: from oemcomputer ([198.64.222.225]) by mail.hypercon.com
            (Post.Office MTA v3.1 release PO205e ID# 0-40161U5000L500S0)
            with SMTP id AAA929 for <postmaster@???>;
            Wed, 14 Feb 2001 10:02:53 -0600
  MIME-Version: 1.0
  Content-Type: multipart/mixed; boundary="--VE5UJCTYZOPYFWTMBGLI3O92FW1MB"
  Message-Id: <E14T4Pq-00071m-00@???>
  X-UIDL: c5037fc7758e757ab1eec19a6fa0a4f5
  From: Hahaha <hahaha@???>
  Subject: Snowhite and the Seven Dwarfs - The REAL story!
  Date: Wed, 14 Feb 2001 10:04:26 -0600


----VE5UJCTYZOPYFWTMBGLI3O92FW1MB
Content-Type: text/plain; charset="us-ascii"

Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and
polite with Snowhite. When they go out work at mornign, they promissed a
*huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven
Dwarfs enter...


----VE5UJCTYZOPYFWTMBGLI3O92FW1MB
Content-Type: application/octet-stream; name="j o k e . e x e"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="j o k e . e x e"

and to my mind this should have been matched by the filter
 # Attempt to catch embedded VBS attachments
 # in emails.   These were used as the basis for 
 # the ILOVEYOU virus and its variants
 # [vb_regexp]
 if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif))[\\\\s;]"
 then
   fail text "This message has been rejected because it has\n\
              \ta potentially executable attachment $1\n\
              \tThis form of attachment has been used by\n\
              \trecent viruses such as that described in\n\
              \thttp://www.fsecure.com/v-descs/love.htm\n\
              \tIf you meant to send this file then please\n\
              \tpackage it up as a zip file and resend it."
   seen finish
 endif



Do postmaster messages avoid the system filter or can someone explain
why this virus escaped the filter, or what I can do to debug the
issue?

Thanks in advance,

Douglas.

--

================================
Dr. Douglas GRAY STEPHENS        
SL-IT Security (Directories)
Schlumberger Cambridge Research
High Cross,
Madingley Road,
Cambridge.
CB3 0EL
ENGLAND


Phone +44 1223 325295
Fax +44 1223 311830
Email DGrayStephens@???
================================