Re: [Exim] Blocking sobig.f

Pàgina inicial
Delete this message
Reply to this message
Autor: Exim Users Mailing List
Data:  
A: Jerry Bell
CC: Exim Users Mailing List
Assumpte: Re: [Exim] Blocking sobig.f
[ On Wednesday, September 3, 2003 at 22:56:40 (-0400), Jerry Bell wrote: ]
> Subject: Re: [Exim] Blocking sobig.f
>
> And exim-4.22/exiscan-acl seems to handle the extensions case
> insensitively, which is fantastic. So all you'd need would be
>
>     demime = ade:adp:bas:bat:chm:cmd:com:cpl:crt:exe:hlp:hta:\
>              inf:ins:isp:js:jse:lnk:mdb:mde:msc:msi:msp:mst:pcd:pif:\
>              reg:scr:sct:shs:shb:url:vb:vbe:vbs:wsc:wsf:wsh


That list is rather incomplete according to what I've been told.

First off let me note that I still don't condone content scanning in an
MTA (especially not during the SMTP transaction), and whatever you do
never EVER send a new bounce message in response to anything you don't
like!

Here's an RE I've used rather successfully when searching for such junk
in message content. It's derrived from various posts I've seen over the
past few months to this list and the postfix-users list:

^[     ]*content-(disposition|type).*name[     ]*=[     ]*"?(.*\.(386\
|acm|ade|adp|app|asp|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt\
|csh|dll|dlo|doc|dot|drv|exe|flt|fot|hlp|hta|ini|inf|ins|isp|js|jse|lnk|mdb\
|mde|mod|msc|msi|msp|mst|nws|obj|ocx|olb|osd|ovl|pcd|pdr|pgm|pif|pkg|pot|ppt\
|pps|prg|reg|rpl|rtf|scr|script|sct|sh|sha|shtml|shs|swf|sys|tlb|tsp|ttf|vb\
|vlm|vxd|vxo|wiz|wll|wwk|pdr|url|vb|vbe|vbs|wsc|wsf|wsh|xla|xlb|xlc|xld|xlk\
|xll|xlm|xls|xlt|xlv|xlw|xnk))"?[     ]*$



Apparently though filename extensions are often irrelevant in the
situations where many M$ vulnerabilities lie and any executable content
may be executed if it has an M$-Windows ELF header. An RE that matched
most any BASE64-encoded ELF header was posted to the Postfix-users list
some time back:

    ^TV[nopqr][A-Z]...[AB]..A.A....*AAAA...*AAAA


It's matched everything questionable I've bothered to throw at it when I
was testing it, but I can't vouch for it's absolute correctness -- I'm
just passing it on.

I'm not yet sure what triggers execution of M$-VB macros (where the
latest reported vulnerabilities reside) though if I'm not mistaken it
may be a heck of a lot harder to predict what they might look like in a
raw e-mail message since they may be obfuscated by more than just BASE64
encoding -- they apparently trigger any time the file is opened, so even
ZIP'ed files are suspicious. It's obviously much safer and easier to
just stop using all M$ software.

--
                        Greg A. Woods


+1 416 218-0098                  VE3TCP            RoboHack <woods@???>
Planix, Inc. <woods@???>          Secrets of the Weird <woods@???>