Re: [Exim] System_filter not working right

Pàgina inicial
Delete this message
Reply to this message
Autor: Phil Brutsche
Data:  
A: George Szekely
CC: frankd, exim-users
Assumpte: Re: [Exim] System_filter not working right
George Szekely wrote:

>> Hi.
>>
>> We're using system_filter with Exim 4.2 and for some reason it's
>> not catching all of the goofy support@??? emails and
>> patch.exe attachments coming through.
>>
>> Is there something with this new worm that is confusing the
>> system_filter?
>
>
> Frank:
>
> I have same problem with my install. I picked up three *.exe files
> (Exim 4.22) and usually all executable files gets rejected, these
> were let through. You can see my filter here:
> http://www.captainnet.net/misc/system_filter.txt


Nigel's old system_filter script is no longer supported or updated and
should not be used.

The reason why it should not be used is that it generates a bounce
message to the *forged* *sender* in the infected message and includes
the virus in the bounce. In other words, system_filter is almost as
efficent at spreading the virus as the virus itself. Not to mention the
fact that you're spamming innocent third parties with bounces to
messages they never sent.

As a data point: back when SoBig.F first broke out, Exim+Exiscan did a
WONDERFUL job of stopping the virus itself. But what was a bigger pain
than dealing with the virus was the HUNDREDES of bounces that were
delivered into user's INBOXes, many of them containing a copy of the
virus. The system_filter script was one of the biggest sources of these
bounces.

If you're interested in stopping Windows executables from being
transmitted though your mail servers, I *strongly* recommend that you
patch your Exim installs with Exiscan
(http://duncanthrax.net/exiscan-acl) and use the content filtering
capabilities Exim gains to reject the executables while the sending host
still has the SMTP session open.

--

Phil Brutsche
phil@???