>From: Ron McKeating <R.J.Mckeating@???>
>To: "Exim-Users (E-mail)" <exim-users@???>
>Subject: [Exim] Encrypted Viruii
>Date: Wed, 03 Mar 2004 10:51:46 +0000
>
>We are seeing more of these emails with an encrypted zip file
>containing a virus with the password in the text. You would have to
>be a very stupid user to fall for this, but are we the only site to
>have one or two very stupid users...?
No, you are not alone. Looks like some of our users are of the
quality of yours...:-(
>As the anti virus software cannot open the zip it cannot find the
>virus, so what is the best approach. I was wondering if there is a
>solution in the new mime acl (acl_smtp_mime) in exiscan. I don't
>have the expert knowledge for this, but would it not be possible
>to use this to say if you cannot open this part of the email then
>reject it.
What's wrong with doing things the "old-fashioned" way, ie by an
acl of the form:
# Activate the following to reject email containing attachments
# with dodgy extensions. You possibly don't want to run this and
# the virus checking. Or at least run this with just the most
# common dodgy extensions (vbs:com:bat:pif:scr:lnk etc) before the
# full virus checking.
deny message = Found blacklisted file attachment ($found_extension)
log_message = exiscan-acl: rejected file attachment ($found_extension)
demime = NASTYGRAMS
Where you'll have to add the zip extension to:
# A list of file extensions that may be harmful to the health &
# welfare of crippleware on Windows machines. This list of dubious
# file extensions was taken from:
#
#
http://support.microsoft.com/default.aspx?scid=kb;EN-US;290497
#
NASTIES1 = ade:adp:asx:bas:bat:chm:cmd:com:cpl:crt:exe:hlp
NASTIES2 = hta:inf:ins:isp:js:jse:lnk:mda:mdb:mde:mdt:mdw
NASTIES3 = mdz:msc:msi:msp:mst:ops:pcd:pif:prf:reg:scf:scr
NASTIES4 = sct:shb:shs:url:vb:vbe:vbs:wsc:wsf:wsh
NASTYGRAMS = NASTIES1:NASTIES2:NASTIES3:NASTIES4