Re: [Exim] EXE attachment not caught by system filter

Pàgina inicial
Delete this message
Reply to this message
Autor: Marc MERLIN
Data:  
A: Phillips, Alan
CC: 'exim-users@exim.org', Patterson, Norman
Assumpte: Re: [Exim] EXE attachment not caught by system filter
On Mon, Apr 30, 2001 at 04:49:22PM +0100, Phillips, Alan wrote:
> Anyone got any idea why an EXE attachment that came in a message with these
> headers got through the current release of the system filter? It's catching
> vast amounts of other stuff but missed this one....


Yep:

>     From: MAILER-DAEMON@???


It's masqueraded as a bounce message, and your filter probably allows
bounces right through (otherwise you'd bounce your own bounces on virus
messages)

The main problem is that if you bounce the message, the bounce should not
contain the virus signature, otherwise you have to put a special case to
handle messages with a virus signature that look like bounces from your
site.
If you looked at the portion of the filter I pasted below, I actually check
'if error_message and $header_from: contains "Mailer-Daemon@???"',
but quite frankly it's not that much more secure: someone can feed messages
to me and pretend to be Mailer-Daemon@???
The other thing I do is that once I'm ready to fail a message, I first check
for "if not error_message" so that those bounces do not go back to me due to
delivery problems.

All that said, the real fix is not to use fail, but to use a mail command
that spaws formail and sed, and modifies the message so that bounced errors
do not contain the virus signature.
That way, you can get rid of the
----------------------------------------------------------------------------
if error_message and $header_from: contains "Mailer-Daemon@???"
then
finish
endif
----------------------------------------------------------------------------
section entirely.



BTW, I upped the subject size to 160, as it was bouncing a few misconfigured
mailers. I hope it's still small enough no to trigger buffer overflows.
----------------------------------------------------------------------------
# Check for MS buffer overruns as per latest BUGTRAQ.
# http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61
# This could happen in error messages, hence its placing
# here...
# We substract the first n characters of the date header
# and test if its the same as the date header... which
# is a lousy way of checking if the date is longer than
# n chars long
if ${length_160:$header_date:} is not $header_date:
then
  save /var/spool/exim/rejects/datefield 0644
  if not error_message
  then
    fail text "This message has been rejected because it has\n\
             \tan overlength date field which can be used\n\
             \tto subvert Microsoft mail programs\n\
               \tThe following URL has further information\n\
             \thttp://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61"
  endif
  seen finish
endif



# looks like a real error message - just ignore it (if header_from isn't
# mailer-daemon, we bounce the message if it's determined as a virus further
# down).
# Basically you can't just bounce back an error message otherwise it can create
# a loop
if error_message and $header_from: contains "Mailer-Daemon@???"
then
finish
endif

# Look for single part MIME messages with suspicious name extensions
# Check Content-Type header [vb2_regexp]
if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif))"
then
  save /var/spool/exim/rejects/mimeattachement 0644
  logfile /var/log/exim/rejectedmimeattachement.log 0644
  logwrite "$tod_log $message_id envelope: $sender_address, From: $h_from ($sender_host_name[$sender_host_address]) => $recipients (recipients=$recipients_count)  subject=$header_subject\n$message_headers"
  if not error_message
  then
    fail text "This message has been rejected because it has\n\
             \ta potentially executable attachment $1\n\
             \tThis form of attachment has been used by\n\
               \trecent viruses such as that described in\n\
             \thttp://www.fsecure.com/v-descs/love.htm\n\
             \tIf you meant to send this file then please\n\
             \tpackage it up as a zip file and resend it."
  endif
  seen finish
endif


# Attempt to catch embedded VBS attachments
# in emails.   These were used as the basis for 
# the ILOVEYOU virus and its variants
# [vb_regexp]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif))[\\\\s;]"
then
  save /var/spool/exim/rejects/embeddedmimeattachement 0644
  logfile /var/log/exim/rejectedembeddedmimeattachement.log 0644
  logwrite "$tod_log $message_id envelope: $sender_address, From: $h_from ($sender_host_name[$sender_host_address]) => $recipients (recipients=$recipients_count)  subject=$header_subject\n$message_headers"
  if not error_message
  then
    fail text "This message has been rejected because it has\n\
             \ta potentially executable attachment $1\n\
             \tThis form of attachment has been used by\n\
               \trecent viruses such as that described in\n\
             \thttp://www.fsecure.com/v-descs/love.htm\n\
             \tIf you meant to send this file then please\n\
             \tpackage it up as a zip file and resend it."
    seen finish
  endif
endif
----------------------------------------------------------------------------
-- 
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking


Home page: http://marc.merlins.org/ | Finger marc_f@??? for PGP key