Re: [Exim] Blocking phony MS Security update emails

Top Page
Delete this message
Reply to this message
Author: Exim User's Mailing List
Date:  
To: Jeff Lasman
CC: Exim User's Mailing List
Subject: Re: [Exim] Blocking phony MS Security update emails
[ On Friday, January 9, 2004 at 06:59:01 (-0800), Jeff Lasman wrote: ]
> Subject: [Exim] Blocking phony MS Security update emails
>
> Does anyone has a good rule that will block these? I know we'll have to
> do it at "data" time, but I guess that's better than not blocking them
> at all.


The following ERE will match the first line of the BASE64 encoded body
of any M$-Windoze executable and in my experience it has matched not
only every single one of the worms you mention, but also any other
unwanted worms, viruses, and junk:

    "^TV[nopqr][A-Z]...[AB]..A.A....*AAAA...*AAAA"


Note that matching on the filename extension of a MIME attachment is not
sufficient. It works a lot of the time but (a) these worms don't always
use MIME that way, and (b) more recent versions of M$-Windoze do not use
the filename extension to decide whether or not to execute a program.

Note this is all stuff I've learned from others -- I don't use M$
software and haven't for over a decade now. Unfortunately I still
receive the onslaught of worms and viruses targeted at M$ systems.

--
                        Greg A. Woods


+1 416 218-0098                  VE3TCP            RoboHack <woods@???>
Planix, Inc. <woods@???>          Secrets of the Weird <woods@???>