RE: [Exim] Bombarded by pif attachments

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Kevin Reed
Datum:  
To: 'Rossz Vamos-Wentworth', exim-users
Betreff: RE: [Exim] Bombarded by pif attachments
Rossz Vamos-Wentworth
> > I've been doing a double dash TZ zone date check first
> > and discarding there.
>
> I must have missed something along the way. WTF is a "double
> dash TZ zone date check"?


A simple check for the Sobig virus (and others).

        # This checks for defective TZ date header - Common Virus Header
        # Lets log this to the logs
        warn    log_message = DISCARD: MALFORMED DATE HEADER (double Dash on
TZ)
                condition = ${if
match{$header_date:}{\N\s--\d{4}$\N}{yes}{no}}


        # Now discard it so it doesn't bounce back as a virus sent by our
user.
        discard condition = ${if
match{$header_date:}{\N\s--\d{4}$\N}{yes}{no}}


Classic example (This had a application . pif attachment)

> From: <user@???>
> To: <user@???>
> Subject: Re: Your application
> Date: Wed, 3 Sep 2003 21:15:45 --0500
> X-MailScanner: Found to be clean
> Importance: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2600.0000
> X-MSMail-Priority: Normal
> X-Priority: 3 (Normal)
> MIME-Version: 1.0


Three common threads...

1) TZ has double dash in it.
2) X-MailScanner: Found to be clean
3) X-Mailer: Microsoft Outlook Express 6.00.2600.0000

However... The double dash TZ is easy to spot.