Re: [Exim] Blocking sobig.f

Top Page
This message is part of the following thread:
M---\the complete thread tree sorted by date
M-+\MRossz Vamos-Wentworth at <-
M.MMSheldon Hearn at ->
Delete this message
Reply to this message
Author: Exim Users Mailing List
Date:  
To: Jerry Bell
CC: Exim Users Mailing List
Subject: Re: [Exim] Blocking sobig.f
[ On Wednesday, September 3, 2003 at 22:56:40 (-0400), Jerry Bell wrote: ]
> Subject: Re: [Exim] Blocking sobig.f
>
> And exim-4.22/exiscan-acl seems to handle the extensions case
> insensitively, which is fantastic. So all you'd need would be
>
>     demime = ade:adp:bas:bat:chm:cmd:com:cpl:crt:exe:hlp:hta:\
>              inf:ins:isp:js:jse:lnk:mdb:mde:msc:msi:msp:mst:pcd:pif:\
>              reg:scr:sct:shs:shb:url:vb:vbe:vbs:wsc:wsf:wsh

That list is rather incomplete according to what I've been told.

First off let me note that I still don't condone content scanning in an
MTA (especially not during the SMTP transaction), and whatever you do
never EVER send a new bounce message in response to anything you don't
like!

Here's an RE I've used rather successfully when searching for such junk
in message content. It's derrived from various posts I've seen over the
past few months to this list and the postfix-users list: 

^[     ]*content-(disposition|type).*name[     ]*=[     ]*"?(.*\.(386\
|acm|ade|adp|app|asp|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt\
|csh|dll|dlo|doc|dot|drv|exe|flt|fot|hlp|hta|ini|inf|ins|isp|js|jse|lnk|mdb\
|mde|mod|msc|msi|msp|mst|nws|obj|ocx|olb|osd|ovl|pcd|pdr|pgm|pif|pkg|pot|ppt\
|pps|prg|reg|rpl|rtf|scr|script|sct|sh|sha|shtml|shs|swf|sys|tlb|tsp|ttf|vb\
|vlm|vxd|vxo|wiz|wll|wwk|pdr|url|vb|vbe|vbs|wsc|wsf|wsh|xla|xlb|xlc|xld|xlk\
|xll|xlm|xls|xlt|xlv|xlw|xnk))"?[     ]*$



Apparently though filename extensions are often irrelevant in the
situations where many M$ vulnerabilities lie and any executable content
may be executed if it has an M$-Windows ELF header. An RE that matched
most any BASE64-encoded ELF header was posted to the Postfix-users list
some time back: 

    ^TV[nopqr][A-Z]...[AB]..A.A....*AAAA...*AAAA


It's matched everything questionable I've bothered to throw at it when I
was testing it, but I can't vouch for it's absolute correctness -- I'm
just passing it on.

I'm not yet sure what triggers execution of M$-VB macros (where the
latest reported vulnerabilities reside) though if I'm not mistaken it
may be a heck of a lot harder to predict what they might look like in a
raw e-mail message since they may be obfuscated by more than just BASE64
encoding -- they apparently trigger any time the file is opened, so even
ZIP'ed files are suspicious. It's obviously much safer and easier to
just stop using all M$ software. 

--
                        Greg A. Woods


+1 416 218-0098                  VE3TCP            RoboHack <woods@???>
Planix, Inc. <woods@???>          Secrets of the Weird <woods@???>



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] (how does one ) remove items from the queue ?[Exim] Request : Log files from Exim->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)