Re: [Exim] Encrypted Viruii

Top Page
Delete this message
Reply to this message
Author: Dennis Davis
Date:  
To: R.J.Mckeating
CC: exim-users
Subject: Re: [Exim] Encrypted Viruii
>From: Ron McKeating <R.J.Mckeating@???>
>To: "Exim-Users (E-mail)" <exim-users@???>
>Subject: [Exim] Encrypted Viruii
>Date: Wed, 03 Mar 2004 10:51:46 +0000
>
>We are seeing more of these emails with an encrypted zip file
>containing a virus with the password in the text. You would have to
>be a very stupid user to fall for this, but are we the only site to
>have one or two very stupid users...?


No, you are not alone. Looks like some of our users are of the
quality of yours...:-(

>As the anti virus software cannot open the zip it cannot find the
>virus, so what is the best approach. I was wondering if there is a
>solution in the new mime acl (acl_smtp_mime) in exiscan. I don't
>have the expert knowledge for this, but would it not be possible
>to use this to say if you cannot open this part of the email then
>reject it.


What's wrong with doing things the "old-fashioned" way, ie by an
acl of the form:

  # Activate the following to reject email containing attachments
  # with dodgy extensions.  You possibly don't want to run this and
  # the virus checking.  Or at least run this with just the most
  # common dodgy extensions (vbs:com:bat:pif:scr:lnk etc) before the
  # full virus checking.
  deny  message = Found blacklisted file attachment ($found_extension)
        log_message = exiscan-acl: rejected file attachment ($found_extension)
        demime = NASTYGRAMS


Where you'll have to add the zip extension to:

# A list of file extensions that may be harmful to the health &
# welfare of crippleware on Windows machines. This list of dubious
# file extensions was taken from:
#
# http://support.microsoft.com/default.aspx?scid=kb;EN-US;290497
#
NASTIES1 = ade:adp:asx:bas:bat:chm:cmd:com:cpl:crt:exe:hlp
NASTIES2 = hta:inf:ins:isp:js:jse:lnk:mda:mdb:mde:mdt:mdw
NASTIES3 = mdz:msc:msi:msp:mst:ops:pcd:pif:prf:reg:scf:scr
NASTIES4 = sct:shb:shs:url:vb:vbe:vbs:wsc:wsf:wsh
NASTYGRAMS = NASTIES1:NASTIES2:NASTIES3:NASTIES4