Re: [Exim] W32/Sircam worm

Etusivu
Poista viesti
Vastaa
Lähettäjä: Dr. Douglas Gray Stephens
Päiväys:  
Vastaanottaja: Phil Pennock
Kopio: exim-users
Aihe: Re: [Exim] W32/Sircam worm
Phil,

At 21:18 on 24-July-2001, Phil Pennock wrote:
> On 2001-07-24 at 14:08 -0500, Justyn's Lists wrote:
> > I just got around to actually testing (from netscape mail) the addition
> > of the lnk file extension I placed in the system filter and it isn't
> > rejecting... I thought all I needed to do was to add it to the list of
> > extensions like below?
> >
> > (?:vb[se]|ws[fh]|jse?|exe|com|cmd|shs|hta|bat|scr|lnk....
> >
> > It is rejecting the other extensions in my testing... what am I
> > missing? does it work for anyone else?
>
> You've noticed that this list appears four times in the filter?
>
> Nigel, you maintain the filter, don't you? Interested in my M4'ised
> version, which means that the extensions and text only need to be
> updated once each, then you run m4 to get the real system filter?


I actually started a discussion about blocking this beast yesterday,
as there is an earler issue about file extenstions -- see
http://www.guninski.com/clsidext.html
and I posted a modified system filter to the list in June.

I am not happy with blocking all links, they can be used for good
reason, so would suggest that we need to be more selective, e.g.
 if $header_content-type: contains ".lnk" and
     ( $message_body: contains "Hi! How are you" or
       $message_body: contains "Hola como estas "
     )
  then
    if $return_path is ""
    then
      seen finish
    endif
    fail text "This message has been rejected because it a LNK file\n\
               \tthat could be a known virus\n\
               \thttp://vil.nai.com/vil/virusSummary.asp?virus_k=99141 \n\
               \tIf you meant to send this file then please\n\
               \tpackage it up as a zip file and resend it."
    seen finish
  endif



Douglas.

--

================================
Douglas GRAY STEPHENS        
Global Infrastructure (Directories)
Schlumberger Cambridge Research
High Cross,
Madingley Road,
Cambridge.
CB3 0EL
ENGLAND


Phone  +44 1223 325295
Mobile +44 773 0051628
Fax    +44 1223 311830
Email DGrayStephens@???
================================