--
On Wed, May 08, 2002 at 12:00:45PM +0200, Tirone Nel wrote:
| Its the default filter I downloaded from the Exim site. But yes, it runs
| along those lines.
|
| This is basically it:
| if $header_content-type: matches
| "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|c
| hm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|p
| if|r
| eg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
| then
| fail text "This message has been rejected because it has\n\
| potentially executable content $1\n\
| This form of attachment has been used by\n\
| recent viruses or other malware.\n\
| If you meant to send this file then please\n\
| package it up as a zip file and resend it."
| seen finish
| endif
|
| Looks like it should work, right?
Not for Klez. Note that (as the comments say) the filter only checks
the Content-Type: header. It should work for single-part messages,
but klez sends itself as a multipart mime message.
| Has anyone else got it to work with Exim 4? And if so, could I have
| a look at their configuration file?
I use this to block klez :
if
"$message_body $message_body_end"
matches "Content-.*audio/x-wav.*\.(?:pif|exe)"
or
"$message_body $message_body_end"
matches "Content-.*audio/x-mid.*\.(?:scr|exe)"
or
"$message_body $message_body_end"
matches "<iframe.*</iframe>"
then
fail "<<(sender: $sender_address) (From: $h_From:)>> \
This message has been rejected because the body contains \n\
text that appears to be MIME Content-Type: headers used by KLEZ.\n\
If you intended to send the file then please gzip it and resend it."
seen finish
endif
-D
--
Q: What is the difference betwee open-source and commercial software?
A: If you have a problem with commercial software you can call a phone
number and they will tell you it might be solved in a future version.
For open-source sofware there isn't a phone number to call, but you
get the solution within a day.
GnuPG key :
http://dman.ddts.net/~dman/public_key.gpg
--
[ Content of type application/pgp-signature deleted ]
--
