On Mon, Apr 30, 2001 at 04:49:22PM +0100, Phillips, Alan wrote:
> Anyone got any idea why an EXE attachment that came in a message with these
> headers got through the current release of the system filter? It's catching
> vast amounts of other stuff but missed this one....
Yep:
> From: MAILER-DAEMON@???
It's masqueraded as a bounce message, and your filter probably allows
bounces right through (otherwise you'd bounce your own bounces on virus
messages)
The main problem is that if you bounce the message, the bounce should not
contain the virus signature, otherwise you have to put a special case to
handle messages with a virus signature that look like bounces from your
site.
If you looked at the portion of the filter I pasted below, I actually check
'if error_message and $header_from: contains "Mailer-Daemon@???"',
but quite frankly it's not that much more secure: someone can feed messages
to me and pretend to be Mailer-Daemon@???
The other thing I do is that once I'm ready to fail a message, I first check
for "if not error_message" so that those bounces do not go back to me due to
delivery problems.
All that said, the real fix is not to use fail, but to use a mail command
that spaws formail and sed, and modifies the message so that bounced errors
do not contain the virus signature.
That way, you can get rid of the
----------------------------------------------------------------------------
if error_message and $header_from: contains "Mailer-Daemon@???"
then
finish
endif
----------------------------------------------------------------------------
section entirely.
BTW, I upped the subject size to 160, as it was bouncing a few misconfigured
mailers. I hope it's still small enough no to trigger buffer overflows.
----------------------------------------------------------------------------
# Check for MS buffer overruns as per latest BUGTRAQ.
# http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61
# This could happen in error messages, hence its placing
# here...
# We substract the first n characters of the date header
# and test if its the same as the date header... which
# is a lousy way of checking if the date is longer than
# n chars long
if ${length_160:$header_date:} is not $header_date:
then
save /var/spool/exim/rejects/datefield 0644
if not error_message
then
fail text "This message has been rejected because it has\n\
\tan overlength date field which can be used\n\
\tto subvert Microsoft mail programs\n\
\tThe following URL has further information\n\
\thttp://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61"
endif
seen finish
endif
# looks like a real error message - just ignore it (if header_from isn't
# mailer-daemon, we bounce the message if it's determined as a virus further
# down).
# Basically you can't just bounce back an error message otherwise it can create
# a loop
if error_message and $header_from: contains "Mailer-Daemon@???"
then
finish
endif
# Look for single part MIME messages with suspicious name extensions
# Check Content-Type header [vb2_regexp]
if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif))"
then
save /var/spool/exim/rejects/mimeattachement 0644
logfile /var/log/exim/rejectedmimeattachement.log 0644
logwrite "$tod_log $message_id envelope: $sender_address, From: $h_from ($sender_host_name[$sender_host_address]) => $recipients (recipients=$recipients_count) subject=$header_subject\n$message_headers"
if not error_message
then
fail text "This message has been rejected because it has\n\
\ta potentially executable attachment $1\n\
\tThis form of attachment has been used by\n\
\trecent viruses such as that described in\n\
\thttp://www.fsecure.com/v-descs/love.htm\n\
\tIf you meant to send this file then please\n\
\tpackage it up as a zip file and resend it."
endif
seen finish
endif
# Attempt to catch embedded VBS attachments
# in emails. These were used as the basis for
# the ILOVEYOU virus and its variants
# [vb_regexp]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif))[\\\\s;]"
then
save /var/spool/exim/rejects/embeddedmimeattachement 0644
logfile /var/log/exim/rejectedembeddedmimeattachement.log 0644
logwrite "$tod_log $message_id envelope: $sender_address, From: $h_from ($sender_host_name[$sender_host_address]) => $recipients (recipients=$recipients_count) subject=$header_subject\n$message_headers"
if not error_message
then
fail text "This message has been rejected because it has\n\
\ta potentially executable attachment $1\n\
\tThis form of attachment has been used by\n\
\trecent viruses such as that described in\n\
\thttp://www.fsecure.com/v-descs/love.htm\n\
\tIf you meant to send this file then please\n\
\tpackage it up as a zip file and resend it."
seen finish
endif
endif
----------------------------------------------------------------------------
--
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
Home page:
http://marc.merlins.org/ | Finger marc_f@??? for PGP key
