[Exim] badtrans virus (helo)

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Oliver Egginger
Date:  
À: John W Baxter
CC: exim-users
Anciens-sujets: Re: [Exim] badtrans virus
Sujet: [Exim] badtrans virus (helo)
In the beginning I was doing something similar.
(I only caused a virus alert for a "aol.com" message if the envelope sender was a local one.)
But then I realized that the bt virus didn't have always the "aol.com" in the "helo".
You don't catch them all this way.

regards
Oliver


> At 9:45 +1100 12/3/2001, Todd Lattimer wrote:
> >Just wondering is anyone has written a successful filter to block the
> >badtrans virus.
> >I've written a VERY crude one (shown below) which has very limited and
> >marginal success.
>
> I'm having reasonable luck with looking for a From: header where the local
> part starts with _ in a message where the envelope sender local part does
> not start with _ (and another criterion or two). This is rather tender; a
> slight variation in the worm will break it (but that's true of looking for
> signature byte strings in the viral code, as well).
>
> if $header_from: contains <_ and $sender_helo_name is aol.com then
>     logfile /logs/exim/exim_newvirus
>     logwrite "$tod_log $header_from: sent the new virus to $header_to:"
>     if $sender_address_local_part begins _ then
>         freeze
>     else
>         # actions here for the worm
>     endif
> endif

>
> I'm freezing the leading underscore/leading underscore case so I can
> examine some...so far there haven't been any, but someone somewhere must
> have such a local part.
>
> AOL is innocent, but the worm uses aol.com for the helo data.
>
> --john (anxious to get our Sophos-based scanner going)