[ On Friday, January 9, 2004 at 06:59:01 (-0800), Jeff Lasman wrote: ]
> Subject: [Exim] Blocking phony MS Security update emails
>
> Does anyone has a good rule that will block these? I know we'll have to
> do it at "data" time, but I guess that's better than not blocking them
> at all.
The following ERE will match the first line of the BASE64 encoded body
of any M$-Windoze executable and in my experience it has matched not
only every single one of the worms you mention, but also any other
unwanted worms, viruses, and junk:
"^TV[nopqr][A-Z]...[AB]..A.A....*AAAA...*AAAA"
Note that matching on the filename extension of a MIME attachment is not
sufficient. It works a lot of the time but (a) these worms don't always
use MIME that way, and (b) more recent versions of M$-Windoze do not use
the filename extension to decide whether or not to execute a program.
Note this is all stuff I've learned from others -- I don't use M$
software and haven't for over a decade now. Unfortunately I still
receive the onslaught of worms and viruses targeted at M$ systems.
--
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <woods@???>
Planix, Inc. <woods@???> Secrets of the Weird <woods@???>
