Re: [Exim] Nimda++...Except???

Pàgina inicial
Delete this message
Reply to this message
Autor: lsu
Data:  
A: Margrit.Lottmann
CC: exim-users
Assumpte: Re: [Exim] Nimda++...Except???
Try attachment, based on "no-exe" exim filter.


On 2001-09-21/09:37 from Margrit.Lottmann@??? to...:

>From: Margrit.Lottmann@???
>Subject: [Exim] Nimda++...Except???
>To: exim-users@???
>Date: Fri, 21 Sep 2001 09:37:28 +0200 (DFT)
>
>Which ideas I had seen in this list to find Nimda Virus in
>this list:
>
>1. search for ...=readme.exe ... in the bodies...
>2. search for "exe"'s
>3. search for audio/wav-headers
>4. using a email virus checker like exiscan in condition with
> sophos(sweep)
>
>
>We are using "1." , but I think I cannot receive now messages
>from (for example) our security organisations or other warnings,
>which describe this virus with a text, that contains the
>given filter condition.
>
>Is it possible to except addresses from filter checking in exim ???
>
>
>
>MfG Margrit Lottmann
>
>
 >  +-----------------------------------------------------------------------+
 >  |                                             phone : +49 391 67  18572 |
 >  |                            +49 391 67  12819 |
 >  |              Margrit Lottmann                 fax : +49 391 67  11134 |
 >  |                                                                       |
 >  | Otto-von-Guericke-Universitaet Magdeburg                              |
 >  | Universitaetsrechenzentrum, URZ-N                                     |
 >  | Universitaetsplatz 2                                                  |
 >  | D-39106 Magdeburg,  Germany                                           |
 >  |                                                                       |
 >  |              Margrit.Lottmann@???                       |
 >  +-----------------------------------------------------------------------+

>
>
>--
>## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>

# Virus section

# Headers
if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|pif|lnk)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|pif|lnk))"
then

# nimda
if $header_x-unsent is "1" then
    logwrite "$tod_log: nimda [$1] from $sender_address $sender_rcvhost"
    if $header_from contain "mailer-daemon" then
        seen finish
    else
        fail text "nimda virus in attachment '$1'"
        seen finish
    endif
endif
if $message_body contain  "audio/x-wav" and $1 is "readme.exe" then
    logwrite "$tod_log: nimda [$1] from $sender_address $sender_rcvhost"
    if $header_from contain "mailer-daemon" then
        seen finish
    else
        fail text "nimda virus in attachment '$1'"
        seen finish
    endif
endif
# sircam
if ($message_body contains
        "I send you this file in order to have your" or
   $message_body contains
        "I hope you can help me with this file that I send" or
   $message_body contains
        "I hope you like the file that I send you" or
   $message_body contains
        "Hola como estas" or
   $message_body contains
        "This is the file with the information that you ask" )
   then
    if $header_from contain "mailer-daemon" or
       $header_to contain "postmaster@" then
        logwrite "$tod_log: sircam [$1] from $sender_address $sender_rcvhost"
        seen finish
    else 
        logwrite "$tod_log: sircam [$1] from $sender_address $sender_rcvhost"
        fail text "sircam in attachment '$1'"
    endif
   finish
endif
endif

# Repeat over body
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|pif|lnk)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|pif|lnk))[\\\\s;]"
then
# nimda
if $header_x-unsent is "1" then
    logwrite "$tod_log: nimda [$1] from $sender_address $sender_rcvhost"
    if $header_from contain "mailer-daemon" then
        seen finish
    else
        fail text "nimda virus in attachment '$1'"
        seen finish
    endif
endif
if $message_body contain  "audio/x-wav" and $1 is "readme.exe" then
    logwrite "$tod_log: nimda [$1] from $sender_address $sender_rcvhost"
    if $header_from contain "mailer-daemon" then
        seen finish
    else
        fail text "nimda virus in attachment '$1'"
        seen finish
    endif
endif
# sircam
if ($message_body contains
        "I send you this file in order to have your" or
   $message_body contains
        "I hope you can help me with this file that I send" or
   $message_body contains
        "I hope you like the file that I send you" or
   $message_body contains
        "Hola como estas" or
   $message_body contains
        "This is the file with the information that you ask" )
   then
    if $header_from contain "mailer-daemon" or
       $header_to contain "postmaster@" then
        logwrite "$tod_log: sircam [$1] from $sender_address $sender_rcvhost"
        seen finish
    else 
        logwrite "$tod_log: sircam [$1] from $sender_address $sender_rcvhost"
        fail text "sircam in attachment '$1'"
    endif
   finish
endif
endif