RE: [Exim] Yet Another Filter to block SoBig.F

Pàgina inicial
Delete this message
Reply to this message
Autor: Kevin Reed
Data:  
A: 'Randy Bush', exim-users
Assumpte: RE: [Exim] Yet Another Filter to block SoBig.F
Randy Bush
>
> >> if $header_X-MailScanner matches "Found to be clean"
> >> then
> >>     if $header_Content-type matches "(multipart/mixed)" and
> >> $header_X-Mailer matches "Microsoft Outlook Express 6.00.2600.0000"
> >>     and $message_body matches
> >> "name(:|=)\"(your_document.pif|document_all.pif|thank_you.pif|
> >> your_details.pif|details.pif|document_9446.pif|application.pif
> >> |wicked_scr.scr|movie0045.pif)\""
> >>     then
> >>         seen finish
> >>     endif
> >> endif

> >
> > Wouldn't it just be easier to do...
> >
> >   discard log_message = "DISCARD: Message contained
> ($found_extension)."
> >           demime = scr:pif

>
> no. mail relays receive legitimate scr and pif attachments.
> you need to filter for the specific ones avleen mentioned.


The problem with the script is that when the virus changes the filenames or
the next virus comes along that uses those types of attachments using
different headers etc..., you have to rework it, in the meantime you have
let in what most consider invalid attachments to your users until you catch
the fact you are not blocking them.

We have been blocking pif and scr as invalid for mail delivery for a long
long time in which case the Sobig virus was never let in along with a number
of other viruses... That being the case... If your destination host does
not allow them as attachments then why would the relay accept them. Just
denying those two attachments via email will save you from a lot of grief.

The only change we have made to this policy recently is to now silently drop
them without generating a bounce. This stops the chain reaction that Sobig
has been popagating.

BTW...its amazing to me how many Randy Bush's I've run into over the past 20
years... Must be a popular name.