Re: [Exim] Regex for catching RAR flavour of Bagle/beagle

On Fri, Mar 19, 2004 at 02:41:29PM -0000, Adam D. Barratt wrote:
>
> We use a combination approach:
>
> 1) Log anything that looks like a password-encrypted zip / rar
> 2) Pass them through clamav via exiscan-acl (with databases updated every
> two hours)
> 3) Freeze anything that clamav claims is clean, for further inspection
>
> Of the half-dozen that have so far made it to step three, all have turned
> out to contain a variant of Bagle.

I'd be willing to bet that all of those were in bounce messages. The
only viruses I've seen slip through clamav are bounce messages where the
mail admin hasn't set a sensible size limit and the entire virus (always
a Bagle variant) is contained in the bounce. I'm hoping that the latest
upgrade will fix even those.

The bounce messages don't really pose any risk, since a user would have
to edit the bounce message before doing their own mime decoding to
extract the payload. An analysis of the clamav-fooling bounce messages
we've seen generated one interesting statistic: 54% of them were
generated by Exim, 46% by Qmail, not one was from any other mta.

--
Bruce

Hierophant: someone who remembers, when you are on the way down,
everything you did to them on the way up.