Re: [Exim] Encrypted Viruii

Top Page
Delete this message
Reply to this message
Author: Ron McKeating
Date:  
To: Dennis Davis
CC: Exim-Users (E-mail)
Subject: Re: [Exim] Encrypted Viruii
Several people have suggested as below that we simply reject zip
attachments. But we tell all our users to use zip attachments as we
reject executable stuff with exiscan.

Surely this attachment is mime encoded and we could detect it with the
mime acl in exiscan ?

Ron

On Wed, 2004-03-03 at 11:43, Dennis Davis wrote:
> >From: Ron McKeating <R.J.Mckeating@???>
> >To: "Exim-Users (E-mail)" <exim-users@???>
> >Subject: [Exim] Encrypted Viruii
> >Date: Wed, 03 Mar 2004 10:51:46 +0000
> >
> >We are seeing more of these emails with an encrypted zip file
> >containing a virus with the password in the text. You would have to
> >be a very stupid user to fall for this, but are we the only site to
> >have one or two very stupid users...?
>
> No, you are not alone. Looks like some of our users are of the
> quality of yours...:-(
>
> >As the anti virus software cannot open the zip it cannot find the
> >virus, so what is the best approach. I was wondering if there is a
> >solution in the new mime acl (acl_smtp_mime) in exiscan. I don't
> >have the expert knowledge for this, but would it not be possible
> >to use this to say if you cannot open this part of the email then
> >reject it.
>
> What's wrong with doing things the "old-fashioned" way, ie by an
> acl of the form:
>
>   # Activate the following to reject email containing attachments
>   # with dodgy extensions.  You possibly don't want to run this and
>   # the virus checking.  Or at least run this with just the most
>   # common dodgy extensions (vbs:com:bat:pif:scr:lnk etc) before the
>   # full virus checking.
>   deny  message = Found blacklisted file attachment ($found_extension)
>         log_message = exiscan-acl: rejected file attachment ($found_extension)
>         demime = NASTYGRAMS

>
> Where you'll have to add the zip extension to:
>
> # A list of file extensions that may be harmful to the health &
> # welfare of crippleware on Windows machines. This list of dubious
> # file extensions was taken from:
> #
> # http://support.microsoft.com/default.aspx?scid=kb;EN-US;290497
> #
> NASTIES1 = ade:adp:asx:bas:bat:chm:cmd:com:cpl:crt:exe:hlp
> NASTIES2 = hta:inf:ins:isp:js:jse:lnk:mda:mdb:mde:mdt:mdw
> NASTIES3 = mdz:msc:msi:msp:mst:ops:pcd:pif:prf:reg:scf:scr
> NASTIES4 = sct:shb:shs:url:vb:vbe:vbs:wsc:wsf:wsh
> NASTYGRAMS = NASTIES1:NASTIES2:NASTIES3:NASTIES4
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##

--
Ron McKeating
Senior IT Services Specialist
Internet Services and Software Solutions
Loughborough University
01509 222329