Re: [Exim] Blocking phony MS Security update emails

Top Page
Delete this message
Reply to this message
Author: Richard Welty
Date:  
To: exim-users
Subject: Re: [Exim] Blocking phony MS Security update emails
On Fri, 9 Jan 2004 06:59:01 -0800 Jeff Lasman <blists@???> wrote:

> We're being hit by MS security update emails. They're not spam, but
> rather more accurately described as virii or worms.


> Does anyone has a good rule that will block these? I know we'll have to
> do it at "data" time, but I guess that's better than not blocking them
> at all.


best done with exiscan. apply the exiscan patch, and use a rule like this:

check_message:
# Unpack MIME containers and reject file extensions
# used by worms. Note that the extension list may be
# incomplete.
  deny    message = $found_extension files are not accepted here
          demime =  ade:adp:bas:bat:chm:cmd:com:cpl:crt:exe:hlp:hta \
                    inf:ins:isp:js:jse:lnk:mdb:mde:msc:msi:msp:mst:pcd:pif \
                    reg:scr:sct:shs:shb:url:vb:vbe:vbs:wsc:wsf:wsh


there are various other things you can do here effectively like call
an AV scanner such as clamav, or run spamassassin. the extension
based rule is nice, though, because it rejects lots of debris you don't
want early with minimal cpu load. clamav (or whatever) is then
mostly catching viruses embedded inside zips (of which there are
a couple) and things like the iframe exploit that don't use an
attachment.

don't forget the need for an explicit accept rule at the end or you'll
reject everything for no obvious reason.

richard
--
Richard Welty                                         rwelty@???
Averill Park Networking                                         518-573-7592
    Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security