Re: [Exim] the Klez virus

Top Page
Delete this message
Reply to this message
Author: Neil Long
Date:  
To: John W Baxter
CC: exim-users
Subject: Re: [Exim] the Klez virus
On May 10, 8:27am, John W Baxter wrote:
> Subject: Re: [Exim] the Klez virus
> At 12:20 +0100 5/10/2002, Neil Long wrote:
> >A simple
> >
> >if $message_body contains "AAAAAAAA    2AAAAA4fug4AtAnNIbgBTM0hVGhpc" then
> >freeze text "Klez"
> >endif

> >
> >will give you something to refine - better to also filter on body
> >length, etc as the above would trap this email (of course).
>
> I dropped a run of spaces into the test's target (it has none).
>
> How far down the KLEZ messages does this data appear (how much do we have
> to lengthen message_body_visible to reach it)? Rhetorical question, as I
> have plenty of sample KLEZ available to look at. The default 500 bytes
> pretty clearly isn't enough.
>
> --John


It is the second line of the base-64 section - just a couple of lines
down from the section headers.

I wouldn't have though much more than 500 bytes in - I use
message_body_visible = 5000
on my own machines but it catches them all on at least one host
where this is not defined and the default is taken.

I am suprised your samples of virus laden mail aren't triggering.

It seems to work for -E and -G (aka -H) variants

regards
Neil

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Dr Neil J Long, Computing Services, University of Oxford
 13 Banbury Road, Oxford, OX2 6NN, UK Tel:+44 1865 273232 Fax:+44 1865 273275
 EMail:       Neil.Long@???
 PGP:    ID 0xE88EF71F    OxCERT: oxcert@??? PGP: ID 0x9FF898D5