RE: [Exim] Blocking phony MS Security update emails

Top Page

Reply to this message
Author: Rick Cooper
Date:  
To: Jeff Green, exim-users
Subject: RE: [Exim] Blocking phony MS Security update emails
> -----Original Message-----
> From: exim-users-admin@???
> [mailto:exim-users-admin@exim.org]On
> Behalf Of Jeff Green
> Sent: Friday, January 23, 2004 11:59 PM
> To: exim-users@???
> Subject: Re: [Exim] Blocking phony MS Security update emails
>
>
> At 08:34 PM 1/23/04, you wrote:
> >My summary to cap this query off...
> >
> >On Friday 09 January 2004 06:59 am, Jeff Lasman wrote:
> >
> > > We're being hit by MS security update emails.
> They're not spam, but
> > > rather more accurately described as virii or worms.
> > >
> > > Does anyone has a good rule that will block these?
> I know we'll have
> > > to do it at "data" time, but I guess that's better
> than not blocking
> > > them at all.
> >
> >We're checking some filtering rules we came up with
> on our own, by using
> >them on my own Kmail mua. So far they look like
> they're picking up all
> >the virii and no false positives. After another week
> or so of testing
> >we'll add them to the server.
> >
> >However, the bad part of all this is we don't have MS
> desktops so we
> >don't know what a "real" MS update looks like for
> whitelisting. Can
> >anyone help me with that?
>
> There are none - MS doesn't announce updates by email.
> Look here:
>


Actually you can sign up to have Update announcements sent to you
via e-mail, but the announcements are VERY specific that MS does
not and will not send the updates to you via any form other than
the windows update site or the autoupdate program (which of
course runs on the local machine). So any time an actual update
arrives via email it's not MS, but announcements (which I do
receive) are perfectly valid. If you look at the information
contained in your link below it states:
    "No. Microsoft NEVER sends emails with security update
attachments.
    You can subscribe to mailing lists to receive Microsoft security
bulletins..."


I have added the following rule to my spamassassin local rules
that, so far, will catch this type of mail: (watch the wrap)

body RC_B_MSPATCH /\bthis is the latest version of security
update, the \".* Cumulative Patch\"/i
describe RC_B_MSPATCH Attempt to masquerade as MS security
bulletin
score RC_B_MSPATCH 25

> http://www.microsoft.com/technet/newsgroups/default.asp
> ?url=/technet/newsgroups/nodepages/sectop10.asp
>
>
> Best regards,
>
> Jeffrey B. Green        Personal Computer Consultant -
> Las Vegas, Nevada
> http//jbgreen.com       Networking Las Vegas Since 1986
> (702) 228-1441

>
>
> --
>
> ## List details at
> http://www.exim.org/mailman/listinfo/exim-users Exim
> details at http://www.exim.org/ ##
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>