Re: Simple e-mail virus scanner

To: debian-security@lists.debian.org
Subject: Re: Simple e-mail virus scanner
From: "Noah L. Meyerhans" <noahm@debian.org>
Date: Tue, 19 Aug 2003 17:42:37 -0400
Message-id: <[🔎] 20030819214237.GK1904@morgul.net>
Mail-followup-to: "Noah L. Meyerhans" <noahm@debian.org>, debian-security@lists.debian.org
In-reply-to: <[🔎] 200308192256.29230.kjetil@kjernsmo.net>
References: <[🔎] 200308192256.29230.kjetil@kjernsmo.net>

On Tue, Aug 19, 2003 at 10:56:29PM +0200, Kjetil Kjernsmo wrote:
> 
> So, I'm wondering, does anybody know about any such approach?

After getting sick of all the virus crap in my inbox I installed the
following in /etc/exim/system_filter.txt:
## -----------------------------------------------------------------------
# Attempt to catch embedded VBS attachments
# in emails.   These were used as the basis for
# the ILOVEYOU virus and its variants - many many varients
# Quoted filename - [body_quoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Dispo
sition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(
?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[
fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[
\\\\s;]"
then
  fail text "This message has been rejected because it has\n\
             a potentially executable attachment $1\n\
             This form of attachment has been used by\n\
             recent viruses or other malware.\n\
             If you meant to send this file then please\n\
             package it up as a zip file and resend it."
  seen finish
endif
# same again using unquoted filename [body_unquoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Dispo
sition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(
?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs
]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\
s;]"
then
  fail text "This message has been rejected because it has\n\
             a potentially executable attachment $1\n\
             This form of attachment has been used by\n\
             recent viruses or other malware.\n\
             If you meant to send this file then please\n\
             package it up as a zip file and resend it."
  seen finish
endif
## -----------------------------------------------------------------------

And put 
message_filter = /etc/exim/system_filter.txt
in /etc/exim/exim.conf

It seems to be working.  I've seen a couple of rejections get logged in
/var/log/exim/mainlog since I installed it an hour ago.  Why these
rejections don't go to /var/log/exim/rejectlog I don't know, but the
point is that the junk is not cluttering my mailbox.

noah

Attachment: pgp5xTohtVikg.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re[2]: Simple e-mail virus scanner
  - From: Игорь Ляпин <ant@ibd.ru>
- Re: Simple e-mail virus scanner
  - From: Christoph Moench-Tegeder <cmt@burggraben.net>
- Re: Simple e-mail virus scanner
  - From: Kjetil Kjernsmo <kjetil@kjernsmo.net>

References:
- Simple e-mail virus scanner
  - From: Kjetil Kjernsmo <kjetil@kjernsmo.net>

Prev by Date: Simple e-mail virus scanner
Next by Date: Re: ftp.gnu.org cracked
Previous by thread: Simple e-mail virus scanner
Next by thread: Re[2]: Simple e-mail virus scanner
Index(es):
- Date
- Thread