Re: MS BS

[Thomas Horsten <thomas@horsten.com>]

On Mon, 22 Sep 2003, Ted Roby wrote:

> My secalert account for these lists is being drenched with 40 to 70 of
> these fake Microsoft Update emails per day.
> My filters on my client dump them to a Junk folder, but I would prefer
> it if my Exim filter would do the job at the server level instead. I am
> running Nigel Metheringham's system_filter.exim.
>
> The single part MIME filter doesn't seem to catch it though. What are
> others on this list using or doing to blatently block this stuff? There
> is no valid .exe I could receive, ever.

I got my mailbox and others on my server filled with these, over the
weekend it was as high as 20MB/day in one mailbox with these worms. I'm
surprised the press coverage hasn't been higher, since this must be the
most spreading MS-worm to date. But I guess people are getting fed up with
reading about these..

Since HD space is an issue on my server I needed to block these at the
SMTP level, to that end I found a qmail patch from Russell Nelson that
works wonders. It does block any executable base64, which may be a bit
over the top, but people will just have to learn to zip such files if they
want to send them through my server.

The patch for qmail can be found here:
http://www.qmail.org/qmail-smtpd-viruscan-1.1.patch

"This patch changes qmail-smtpd so that it parses incoming emails.  It
looks at the first line of MIME attachments to see if they're Windows
executables which are base64-encoded.  This catches nearly all current
Microsoft viruses."

I don't know the status of any similar patches for other MTA's, but I
guess they are out there. Anyway, if you are truly security conscious you
should consider switching to qmail in any case.

Regards,

Thomas