RE: [Exim] the Klez virus

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Nigel Metheringham
Datum:  
To: exim-users
Betreff: RE: [Exim] the Klez virus
On Fri, 2002-05-10 at 11:11, Sedat Yilmazer wrote:
>
> System_filter.exim has a bug. It only looks for file names WITHOUT a
> spave in it. If you send an "some virus file .exe" then ıt passes
> through. I have changed the "......\\\\S+.... in the file name cheching
> with .....[^\n\r]+ and it seems to be working fine now...


You will get false positives and you have a pretty much unterminated
regular expression which will chew cpu time under some circumstances.
Thats why that approach was dropped from the filter after a trial
implementation.

The body text presented to the filter has \r & \n flattened to spaces so
your expression is useless.

Due to the way stuff is presented to the filter it is impossible to make
it decently comprehensive. It was started as a quick hack to catch
Melissa and I'm rather worried to see the level of dependence. I do
not use the filter myself any more (although it is running on exim.org
mainly due to me not having changed anything there for a long time.

MIME parsing with a regular expression is not possible - you can make a
half-assed attempt, but its not a parser, just a rough guess.

    Nigel.
--
[ Nigel Metheringham           Nigel.Metheringham@??? ]
[ - Comments in this message are my own and not ITO opinion/policy - ]