Re: [Exim] Very anoying virus behavior

Top Page
Delete this message
Reply to this message
Author: Wakko Warner
Date:  
To: Walt Reed
CC: Exim-users
Subject: Re: [Exim] Very anoying virus behavior
> One of the things I've noticed about this latest email worm is that it
> seems to be doing a namelist attack. Looking at my logs, I'm getting
> hundreds of hits to nonexistant names. Occasionally it finds a valid
> one, which is rejected by exiscan rule.
>
> Anyway, rather than waste my mail servers time and bandwidth, I was
> thinking along the lines of processing the logs looking for the pattern,
> and adding a firewall rule to drop the host. Has anyone done that already or
> working on something like this? Greylisting doesn't seem like it would work as
> this worm does multiple tries.
>
> Maybe a "infected by worm" DNSBL would work. Of course due to the
> wonderful security of Windows and typical clueless users, this just may
> end up being half the internet.


Here's what I've done with the swen which I still get. Drop this in your
acl somewhere where you can easily detect such an attack. The 2nd condition
line is the trick =)

This specific one looks for key phrases in from and to headers (obviously in
the data acl)
deny    condition = ${if match{${lc:$h_from:}}{microsoft|message service|ms technical|security assistance|ms public|ms corporation|network delivery|ms net email|ms network|internet security|network security|technet|ms customer|inet service|security support|public assistance|ms net|program security|security center|ms security|network email|net mail|ms email|inet email|commercial client|public services|security section|technical assistance|customer assistance|" *" *<}{yes}{no}}
    condition = ${run{/bin/sh -c \"/bin/echo $sender_address >> /etc/exim4/virus_senders\"} {yes} {yes}}


deny    condition = ${if match{${lc:$h_to:}}{mail receiver|mail client|ms corporation|internet user|inet user|commercial user|inet client|email user|mail user|inet recipient|client@|net user|network receiver|commercial consumer|internet recipient|@???|net client|network client|network user|internet receiver|< *>|commercial customer|commercial client|ms client}{yes}{no}}
    condition = ${run{/bin/sh -c \"/bin/echo $sender_address >> /etc/exim4/virus_senders\"} {yes} {yes}}


accept


--
Lab tests show that use of micro$oft causes cancer in lab animals