[Exim] Filter needed for Klez.E infected attachments...

Pàgina inicial
Delete this message
Reply to this message
Autor: David Gardner
Data:  
A: exim-users
Assumpte: [Exim] Filter needed for Klez.E infected attachments...
Greetings all,

I'm running Exim 3.22 (yes, I should upgrade) and am filtering out
messages that have suspicious attachments. The filter is shown below and
was taken from the Exim web site:

{snip}
##
-----------------------------------------------------------------------
# Attempt to catch embedded VBS attachments
# in emails. These were used as the basis for
# the ILOVEYOU virus and its variants - many many varients
# Quoted filename - [body_quoted_fn_match]
if $message_body matches
"(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Dispo
sition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(
?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[
fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[
\\\\s;]"
then
logwrite "Suspicious attachment error in message $message_id"

  fail text "This message has been rejected because it has\n\
             a potentially executable attachment $1\n\
             This form of attachment has been used by\n\
             recent viruses or other malware.\n\
             If you meant to send this file then please\n\
             package it up as a zip file and resend it."
  seen finish
endif


{snip}
as well as the unquoted version.

However, these filters do not seem to catch messages where the filename
is on a separate line (my attempts to send an example are rejected.)
Does anyone have a filter script which will read the headers of the
parts of a multipart message where records span lines?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
David Gardner
Vernier Software & Technology
13979 SW Millikan Way
Beaverton, OR 97005-2886

phone: (503) 277-2299
fax: (503) 277-2440
email: dgardner@???
WWW: http://www.vernier.com/