[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Simple e-mail virus scanner



On Tue, Aug 19, 2003 at 10:56:29PM +0200, Kjetil Kjernsmo wrote:
> 
> So, I'm wondering, does anybody know about any such approach?

After getting sick of all the virus crap in my inbox I installed the
following in /etc/exim/system_filter.txt:
## -----------------------------------------------------------------------
# Attempt to catch embedded VBS attachments
# in emails.   These were used as the basis for
# the ILOVEYOU virus and its variants - many many varients
# Quoted filename - [body_quoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Dispo
sition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(
?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[
fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[
\\\\s;]"
then
  fail text "This message has been rejected because it has\n\
             a potentially executable attachment $1\n\
             This form of attachment has been used by\n\
             recent viruses or other malware.\n\
             If you meant to send this file then please\n\
             package it up as a zip file and resend it."
  seen finish
endif
# same again using unquoted filename [body_unquoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Dispo
sition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(
?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs
]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\
s;]"
then
  fail text "This message has been rejected because it has\n\
             a potentially executable attachment $1\n\
             This form of attachment has been used by\n\
             recent viruses or other malware.\n\
             If you meant to send this file then please\n\
             package it up as a zip file and resend it."
  seen finish
endif
## -----------------------------------------------------------------------

And put 
message_filter = /etc/exim/system_filter.txt
in /etc/exim/exim.conf

It seems to be working.  I've seen a couple of rejections get logged in
/var/log/exim/mainlog since I installed it an hour ago.  Why these
rejections don't go to /var/log/exim/rejectlog I don't know, but the
point is that the junk is not cluttering my mailbox.

noah

Attachment: pgpGx94gSX564.pgp
Description: PGP signature


Reply to: