Re: [Exim] badtrans virus

Startseite
Nachricht löschen
Nachricht beantworten
Autor: John W Baxter
Datum:  
To: exim-users
Neue Treads: [Exim] badtrans virus (helo)
Betreff: Re: [Exim] badtrans virus
At 9:45 +1100 12/3/2001, Todd Lattimer wrote:
>Just wondering is anyone has written a successful filter to block the
>badtrans virus.
>I've written a VERY crude one (shown below) which has very limited and
>marginal success.


I'm having reasonable luck with looking for a From: header where the local
part starts with _ in a message where the envelope sender local part does
not start with _ (and another criterion or two). This is rather tender; a
slight variation in the worm will break it (but that's true of looking for
signature byte strings in the viral code, as well).

if $header_from: contains <_ and $sender_helo_name is aol.com then
    logfile /logs/exim/exim_newvirus
    logwrite "$tod_log $header_from: sent the new virus to $header_to:"
    if $sender_address_local_part begins _ then
        freeze
    else
        # actions here for the worm
    endif
endif


I'm freezing the leading underscore/leading underscore case so I can
examine some...so far there haven't been any, but someone somewhere must
have such a local part.

AOL is innocent, but the worm uses aol.com for the helo data.

--john (anxious to get our Sophos-based scanner going)

-- 
John Baxter   jwblist@???      Port Ludlow, WA, USA