Hi,
Some of my mail comes via a machine running exim 3.13, with the exim
system_filter.exim version 0.09, with the visible message body
increased to 5000 in exim.conf
Today I received the snow white virus, and do not understand why exim
failed to block it.
The message was sent to
postmaster@???
as the exim log shows
68399:2001-02-14 10:04:28 14T4Pq-00071m-00 <= <> H=mail.hypercon.com [198.64.246.144] P=esmtp S=32382
68400:2001-02-14 10:04:28 14T4Pq-00071m-00 => gray@??? <postmaster@???> R=lookuphost T=remote_smtp H=baja-clear.austin.apc.slb.com [163.185.74.6]
68401:2001-02-14 10:04:29 14T4Pq-00071m-00 => osgroup@??? <postmaster@???> R=lookuphost T=remote_smtp H=asgaard.wan.cwomnes.net [192.23.66.14]
68402:2001-02-14 10:04:29 14T4Pq-00071m-00 -> controllers@??? <postmaster@???> R=lookuphost T=remote_smtp H=asgaard.wan.cwomnes.net [192.23.66.14]
68403:2001-02-14 10:04:29 14T4Pq-00071m-00 -> sromero@??? <postmaster@???> R=lookuphost T=remote_smtp H=asgaard.wan.cwomnes.net [192.23.66.14]
68404:2001-02-14 10:04:29 14T4Pq-00071m-00 => grilli@??? <postmaster@???> R=lookuphost T=remote_smtp H=pop.houston.omnes.slb.com [163.185.18.224]
68405:2001-02-14 10:04:29 14T4Pq-00071m-00 -> jennings@??? <postmaster@???> R=lookuphost T=remote_smtp H=pop.houston.omnes.slb.com [163.185.18.224]
68406:2001-02-14 10:04:29 14T4Pq-00071m-00 => fetterley@??? <postmaster@???> R=lookuphost T=remote_smtp H=pop.houston.omnes.slb.com [163.185.18.224]
68407:2001-02-14 10:04:29 14T4Pq-00071m-00 Completed
I have modified the name of the file from
joke.exe
to
j o k e . e x e
to stop this message triggering virus alarms.
The message top of the message was
Received: from baja-clear.austin.apc.slb.com (baja-clear.austin.apc.slb.com [163.185.74.6])
by platinum1.cambridge.scr.slb.com (8.11.1/8.11.1/NC.V1.5) with ESMTP id f1EG4OU12148
for <gray@???>; Wed, 14 Feb 2001 16:04:24 GMT
Received: (from gray@localhost)
by baja-clear.austin.apc.slb.com (8.9.3/8.9.3) id KAA20353
for gray@???; Wed, 14 Feb 2001 10:04:28 -0600 (CST)
Received: from mahler.houston.sinet.slb.com (mahler.houston.sinet.slb.com [163.185.18.230])
by baja-clear.austin.apc.slb.com (8.9.3/8.9.3) with ESMTP id KAA20344
for <gray@???>; Wed, 14 Feb 2001 10:04:27 -0600 (CST)
Received: from mail.hypercon.com ([198.64.246.144])
by mahler.houston.sinet.slb.com with esmtp (Exim 3.13 #1)
id 14T4Pq-00071m-00
for postmaster@???; Wed, 14 Feb 2001 10:04:26 -0600
Received: from oemcomputer ([198.64.222.225]) by mail.hypercon.com
(Post.Office MTA v3.1 release PO205e ID# 0-40161U5000L500S0)
with SMTP id AAA929 for <postmaster@???>;
Wed, 14 Feb 2001 10:02:53 -0600
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VE5UJCTYZOPYFWTMBGLI3O92FW1MB"
Message-Id: <E14T4Pq-00071m-00@???>
X-UIDL: c5037fc7758e757ab1eec19a6fa0a4f5
From: Hahaha <hahaha@???>
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Date: Wed, 14 Feb 2001 10:04:26 -0600
----VE5UJCTYZOPYFWTMBGLI3O92FW1MB
Content-Type: text/plain; charset="us-ascii"
Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and
polite with Snowhite. When they go out work at mornign, they promissed a
*huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven
Dwarfs enter...
----VE5UJCTYZOPYFWTMBGLI3O92FW1MB
Content-Type: application/octet-stream; name="j o k e . e x e"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="j o k e . e x e"
and to my mind this should have been matched by the filter
# Attempt to catch embedded VBS attachments
# in emails. These were used as the basis for
# the ILOVEYOU virus and its variants
# [vb_regexp]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif))[\\\\s;]"
then
fail text "This message has been rejected because it has\n\
\ta potentially executable attachment $1\n\
\tThis form of attachment has been used by\n\
\trecent viruses such as that described in\n\
\thttp://www.fsecure.com/v-descs/love.htm\n\
\tIf you meant to send this file then please\n\
\tpackage it up as a zip file and resend it."
seen finish
endif
Do postmaster messages avoid the system filter or can someone explain
why this virus escaped the filter, or what I can do to debug the
issue?
Thanks in advance,
Douglas.
--
================================
Dr. Douglas GRAY STEPHENS
SL-IT Security (Directories)
Schlumberger Cambridge Research
High Cross,
Madingley Road,
Cambridge.
CB3 0EL
ENGLAND
Phone +44 1223 325295
Fax +44 1223 311830
Email DGrayStephens@???
================================