Author: Chris Edwards Date: To: Ron McKeating CC: Exim-Users (E-mail) Subject: Re: [Exim] Encrypted Viruii
On Wed, 3 Mar 2004, Ron McKeating wrote:
| but are we the only site to have one or two very stupid users...?
No ;-))
| As the anti virus software cannot open the zip it cannot find the virus,
| so what is the best approach. I was wondering if there is a solution in
| the new mime acl (acl_smtp_mime) in exiscan. I don't have the expert
| knowledge for this, but would it not be possible to use this to say if
| you cannot open this part of the email then reject it.
Policy decision required. In the past many of us have simply passed
unscanable attachments, on the grounds that they're likely to be OK. Now
this is being actively exploited we may have to block simply on the
grounds we can't scan.
Details depend on your AV setup. Folk using cmdline sophos sweep can
accomplish this with a tweak of the trigger regexp.
I'm looking at modifying sophie to do similar, if things get sufficiently
bad.
However we're having good luck spurning these things with the unqual-ehlo
triggering a delay (Thanks Alan!). As far as we can tell, all the bagles
offered direct from compromised PCs don't bother to wait.
--
Chris Edwards, Glasgow University Computing Service