--
On Fri, May 31, 2002 at 05:41:56PM -0400, Greg Ward wrote:
| Forged envelope senders from viruses are bad enough, but now I'm seeing
| mail (apparently) from "friendly" virus detectors with forged senders
| (and "From" headers too).
Friendly ...
| Eg. it appears that at 30 May 2002 22:47 +0200, software on
| webmail.fmcf.fr detected a virus that it thought had something to do
| with either or both of python-dev@??? and postmaster@???.
| So, naturally, it sent a "friendly notification" to those two addresses,
| with forged envelope sender and "From" header of postmaster@???:
The only identifying feature of this mail is the (rather worthless)
body :
| *** A virus was detected by the security administrator; this message was
| discarded ***
Was this really split on 2 lines in the original? If so that makes it
a bit more complicated ... hmm, not much since exim compresses
newlines into whitespace, a regex could easily handle that (but it
would get ugly fast if you allow for variations in the line breaks).
| So now I'm thinking there has to be a way to disallow this with Exim 4
| ACLs.
Right on.
In the "data" acl :
deny condition = ${if contains {$message_body} {"*** A virus was detected by the security administrator; this message was discarded ***"} {1}{0}}
message = "I hate stupid virus alerts. I don't have a virus, don't alert me!"
| Two questions for the crowd:
|
| * can anyone think of any reason why this might be a bad idea?
Mismatches (in my test, not yours).
-D
--
There are six things the Lord hates,
seven that are detestable to him :
haughty eyes,
a lying tongue,
hands that shed innocent blood,
a heart that devises wicked schemes,
feet that are quick to rush into evil,
a false witness who pours out lies
and a man who stirs up dissension among brothers.
Proverbs 6:16-19
GnuPG key :
http://dman.ddts.net/~dman/public_key.gpg
--
[ Content of type application/pgp-signature deleted ]
--
