Re: [Exim] W32.Swen@MM (fwd)

Top Page
Delete this message
Reply to this message
Author: Alan J. Flavell
Date:  
To: Exim users list
Subject: Re: [Exim] W32.Swen@MM (fwd)
On Tue, 23 Sep 2003, I was asked in personal mail (but the answer may
be of more general interest):

> On Sunday, September 21, 2003, at 07:08 PM, Alan J. Flavell wrote:
>
> >
> > Beautiful! My own filter prevented this from getting to the list;
> > so here goes with minor censorship:
>
> ha ha -- that happened to me w/the sobig virus. couldn't figure out
> for the life of me why my messages w/the text signature were
> disappearing
>
> anywas -- is there any way i could get that pattern from you? i'd love
> to block it as well.


Hi,

I think there might have been a bit of misunderstanding here, sorry.
What got blocked was my illustration of uuencoding, i.e the word
"begin" at the start of a line, a couple of spaces (the vulnerable
client version(s) don't even look for the customary three octal
digits), and a filename with an extension that is on the hitlist (in
this case it was exe).

I'm sorry to say that this got blocked by an ancient recipe which we
still have lurking in our system_filter from way back, although
nowadays the bulk of such work is done by ACLs and associated add-ons
(spamassassin etc.). I really couldn't advise adding this kind of
recipe to system filters nowadays, indeed I've recently changed the
few remaining "fail" clauses in the system filter to "freeze" in order
to make sure we don't go bouncing copies of mischief mail to innocent
third parties whose names have been counterfeited.

hope that helps.