On Fri, 9 Jan 2004 06:59:01 -0800 Jeff Lasman <blists@???> wrote:
> We're being hit by MS security update emails. They're not spam, but
> rather more accurately described as virii or worms.
> Does anyone has a good rule that will block these? I know we'll have to
> do it at "data" time, but I guess that's better than not blocking them
> at all.
best done with exiscan. apply the exiscan patch, and use a rule like this:
check_message:
# Unpack MIME containers and reject file extensions
# used by worms. Note that the extension list may be
# incomplete.
deny message = $found_extension files are not accepted here
demime = ade:adp:bas:bat:chm:cmd:com:cpl:crt:exe:hlp:hta \
inf:ins:isp:js:jse:lnk:mdb:mde:msc:msi:msp:mst:pcd:pif \
reg:scr:sct:shs:shb:url:vb:vbe:vbs:wsc:wsf:wsh
there are various other things you can do here effectively like call
an AV scanner such as clamav, or run spamassassin. the extension
based rule is nice, though, because it rejects lots of debris you don't
want early with minimal cpu load. clamav (or whatever) is then
mostly catching viruses embedded inside zips (of which there are
a couple) and things like the iframe exploit that don't use an
attachment.
don't forget the need for an explicit accept rule at the end or you'll
reject everything for no obvious reason.
richard
--
Richard Welty rwelty@???
Averill Park Networking 518-573-7592
Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
