Re: [Exim] Encrypted Viruii

Top Page
This message is part of the following thread:
M-+-+--\the complete thread tree sorted by date
M.M\M\.MAdrian Phillips at <-
MMMMMMMDennis Davis at ->
Delete this message
Reply to this message
Author: Chris Edwards
Date:  
To: Ron McKeating
CC: Exim-Users (E-mail)
Subject: Re: [Exim] Encrypted Viruii
On Wed, 3 Mar 2004, Ron McKeating wrote:

| but are we the only site to have one or two very stupid users...?

No ;-))


| As the anti virus software cannot open the zip it cannot find the virus,
| so what is the best approach. I was wondering if there is a solution in
| the new mime acl (acl_smtp_mime) in exiscan. I don't have the expert
| knowledge for this, but would it not be possible to use this to say if
| you cannot open this part of the email then reject it.

Policy decision required. In the past many of us have simply passed
unscanable attachments, on the grounds that they're likely to be OK. Now
this is being actively exploited we may have to block simply on the
grounds we can't scan.

Details depend on your AV setup. Folk using cmdline sophos sweep can
accomplish this with a tweak of the trigger regexp.

I'm looking at modifying sophie to do similar, if things get sufficiently
bad.

However we're having good luck spurning these things with the unqual-ehlo
triggering a delay (Thanks Alan!). As far as we can tell, all the bagles
offered direct from compromised PCs don't bother to wait.

--
Chris Edwards, Glasgow University Computing Service


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] Encrypted ViruiiRe: [Exim] Encrypted Viruii->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)