RE: [Exim] Bombarded by pif attachments

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Segree, Gareth
Datum:  
To: 'Kevin Reed'
CC: 'exim-users@exim.org'
Betreff: RE: [Exim] Bombarded by pif attachments
I have the following in my exim.conf

acl_smtp_rcpt = acl_check_rcpt

begin acl

acl_check_rcpt:
accept hosts = :
Etc...

Do I put it after the accept host = :?



-----Original Message-----
From: Kevin Reed [mailto:krelvinaz@cox.net]
Sent: Wednesday, September 03, 2003 10:58 PM
To: 'Rossz Vamos-Wentworth'; exim-users@???
Subject: RE: [Exim] Bombarded by pif attachments


Rossz Vamos-Wentworth
> > I've been doing a double dash TZ zone date check first
> > and discarding there.
>
> I must have missed something along the way. WTF is a "double dash TZ
> zone date check"?


A simple check for the Sobig virus (and others).

        # This checks for defective TZ date header - Common Virus Header
        # Lets log this to the logs
        warn    log_message = DISCARD: MALFORMED DATE HEADER (double Dash on
TZ)
                condition = ${if
match{$header_date:}{\N\s--\d{4}$\N}{yes}{no}}


        # Now discard it so it doesn't bounce back as a virus sent by our
user.
        discard condition = ${if
match{$header_date:}{\N\s--\d{4}$\N}{yes}{no}}


Classic example (This had a application . pif attachment)

> From: <user@???>
> To: <user@???>
> Subject: Re: Your application
> Date: Wed, 3 Sep 2003 21:15:45 --0500
> X-MailScanner: Found to be clean
> Importance: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2600.0000
> X-MSMail-Priority: Normal
> X-Priority: 3 (Normal)
> MIME-Version: 1.0


Three common threads...

1) TZ has double dash in it.
2) X-MailScanner: Found to be clean
3) X-Mailer: Microsoft Outlook Express 6.00.2600.0000

However... The double dash TZ is easy to spot.



--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
details at http://www.exim.org/ ##