[Exim] W32/Magistr slipping through system_filter.

Top Page
Delete this message
Reply to this message
Author: Jeff Sloan
Date:  
To: exim-users
Subject: [Exim] W32/Magistr slipping through system_filter.
--
[ Picked text/plain from multipart/alternative ]
The Virus W32/Magistr.a@MM slipped through the filter yesterday.

I did receive the postmaster warning, but the user also received the message.

Does this have to do with the virus modifying the return address making it
fail in the director or transport so that the whole thing never go flushed
from the queue?

I notice that the delivery to the user happened on the queue run 5 minutes
after the initial delivery.

Names of innocents below have been changed, guilty names remain the same.

I believe that this virus has been detected before by this filter.

I did notice an e-mail to Nigel about this on 10 July 2001, but no post of
the public resolution.

By the way - Nigel - many thanks for posting the filter, I have modified
and re-modified it many times for specific blocking and SPAM stopping, but
I would have been much further behind without the kick-start from the
initial filter.

Thanks in advance,

Jeff Sloan


Appropriate Filter Section:

<snip>

# Attempt to catch embedded VBS attachments
# in emails.   These were used as the basis for
# the ILOVEYOU virus and its variants
# [vb_regexp]
if $message_body matches
"(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif))[\\\\s;]"
then
   save /var/spool/exim/rejects/executable_attachments 0644
   logfile /var/log/exim/rejected_executable_attachments.log 0644
   logwrite "$tod_log $message_id envelope: $sender_address,\n\ From:
$h_from ($sender_host_name[$sender_host_address]) =>\n\ $recipients
(recipients=$recipients_count) \n\
subject=$header_subject\n$message_headers \n\ attachment= $1 \n\
=========================== \n"
mail
          to postmaster
          from mailfilter
          subject "Malware Recieved - Executable_Attachment: $h_to: "
          text "$recipients has received a message from $h_from that was
rejected by the mailfilter \n\
          \t subject was: $h_subject \n\
          \t attachment was $1 \n\
          \t the message was delivered intact to
/var/spool/exim/rejects/executable_attachments "
mail
        to $h_from
        from mailfilter@???
        subject "Rejected Message: $h_subject:"
        text "\t This message was created automatically by mail delivery
software. \n\ \n\
              \t Do Not Reply to this Message \n\ \n\
              \t A message that you sent could not be delivered to one or
more of the intended recipients.\n\ \n\
              \t The following Addresses failed: \n\
              \t \t $h_to \n\ \n\
                  \t Other Addressees (possibly in BCC: field) were: \n\
              \t \t $recipients \n\ \n\
              \tYour Message to $h_recipients has been rejected. \n\ \n\
              \tThis message has been rejected because it has \n\
              \ta potentially executable attachment $1 \n\
              \tThis form of attachment has been used by \n\
              \trecent viruses or other malware.\n\ \n\
              \tIf you meant to send this file then please\n\
              \tpackage it up as a zip file and resend it.\n\ \n\
              \t You can visit http:\\www.mcafee.com or
http:\\www.symantic.com \n\
              \t for more information."


seen finish
endif


<snip>

Log snip:

<snip>


2002-02-28 21:23:52 16gfWI-0000U5-00 <= ckfleet@???
H=(mail01g.rapidsite.net) [207.158.192.232] P=smtp S=90137
2002-02-28 21:23:52 16gfWI-0000U5-00 original recipients ignored
(message_filter)
2002-02-28 21:23:52 16gfWI-0000U5-00 =>
/var/spool/exim/rejects/executable_attachments <message filter> T=address_file
2002-02-28 21:23:52 SMTP connection from (mail01g.rapidsite.net)
[207.158.192.232] closed by QUIT
2002-02-28 21:23:52 16gfWK-0000U9-00 <= <> R=16gfWI-0000U5-00 U=mail
P=local S=713
2002-02-28 21:23:52 16gfWI-0000U5-00 => >postmaster <message filter>
T=address_reply
2002-02-28 21:23:52 16gfWK-0000UC-00 Error while reading message with no
usable sender address (R=16gfWI-0000U5-00): at least one malformed
recipient address: Dean DeCesare <cjfleet@???>\n
ckfleet@??? - malformed address: ckfleet@???
may not follow Dean DeCesare <cjfleet@???>
2002-02-28 21:23:52 16gfWI-0000U5-00 == >Dean DeCesare <cjfleet@???>
ckfleet@??? <message filter> T=address_reply defer (0): Failed to
send message from address_reply transport (1)
2002-02-28 21:23:52 16gfWK-0000U9-00 => user1 <postmaster@???>
D=localuser T=local_delivery
2002-02-28 21:23:52 16gfWK-0000U9-00 Completed
2002-02-28 21:28:01 Start queue run: pid=1876
2002-02-28 21:28:01 16gfWI-0000U5-00 => user2<user2@???> D=localuser
T=local_delivery
2002-02-28 21:28:01 16gfWI-0000U5-00 Completed

<snip>

Jeff Sloan
Va-Tran Systems, Inc
677 Anita Street Suite A
Chula Vista, CA 91911-4661

619-423-4555 X102
619-423-4604 fax

mailto:jeffsloan@vatran.com

http://www.vatran.com
--