Re: [Exim] Quick Fix in SpamAssassin for latest ZIP worm

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Nigel Metheringham
Datum:  
To: J Yunke
CC: exim-users
Betreff: Re: [Exim] Quick Fix in SpamAssassin for latest ZIP worm
On Tue, 2004-01-27 at 14:24, J Yunke wrote:
> Thought I'd pass this onto folks who use Exim & SPAM Assassin. I use
> sa-exim with exim4 and for some reason my system filter wasn't working
> properly.


/me references standard rant on MIME parsing within system filters - it
*cannot* be done.

exiscan's standard extension blocking appears to be getting this other
than .zip files which we do not block (the fact that a worm can
successfully propagate through .zip files shows that many windows users
are even more stupid than I ever suspected).

The mail engine of this worm appears to not put a message ID in the
message headers.  You can therefore block it by rejecting messages
without a message ID:-
  # Reject on no message-id/date from remote hosts
  deny    condition    = ${if !def:h_Message-ID: {1}}
    message        = Message SHOULD have Message-ID: but does not
  deny    condition    = ${if !def:h_Date: {1}}
    message        = Message SHOULD have Date: but does not


NB you may want rules in *prior* to these rules, or additions to these
rules to allow authenticated mail or local SMTP injected mail to bypass
this block. Or not.

These rules are running on exim.org. If you don't generate message-id
headers then you have been warned.

For other non-zip forms of attachment you could also look at last weeks
thread on matching MS executables.

    Nigel.


--
[ Nigel Metheringham           Nigel.Metheringham@??? ]
[ - Comments in this message are my own and not ITO opinion/policy - ]