[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re[2]: Simple e-mail virus scanner

Hello Noah,
Does the same approach could be use with sendmail ? Any examples?

NLM> On Tue, Aug 19, 2003 at 10:56:29PM +0200, Kjetil Kjernsmo wrote:
>> 
>> So, I'm wondering, does anybody know about any such approach?

NLM> After getting sick of all the virus crap in my inbox I installed the
NLM> following in /etc/exim/system_filter.txt:
NLM> ## -----------------------------------------------------------------------
NLM> # Attempt to catch embedded VBS attachments
NLM> # in emails.   These were used as the basis for
NLM> # the ILOVEYOU virus and its variants - many many varients
NLM> # Quoted filename - [body_quoted_fn_match]
NLM> if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Dispo
sition:(?>>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(
?>>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[
NLM> fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[
NLM> \\\\s;]"
NLM> then
NLM>   fail text "This message has been rejected because it has\n\
NLM>              a potentially executable attachment $1\n\
NLM>              This form of attachment has been used by\n\
NLM>              recent viruses or other malware.\n\
NLM>              If you meant to send this file then please\n\
NLM>              package it up as a zip file and resend it."
NLM>   seen finish
NLM> endif
NLM> # same again using unquoted filename [body_unquoted_fn_match]
NLM> if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Dispo
sition:(?>>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(
?>>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs
NLM> ]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\
NLM> s;]"
NLM> then
NLM>   fail text "This message has been rejected because it has\n\
NLM>              a potentially executable attachment $1\n\
NLM>              This form of attachment has been used by\n\
NLM>              recent viruses or other malware.\n\
NLM>              If you meant to send this file then please\n\
NLM>              package it up as a zip file and resend it."
NLM>   seen finish
NLM> endif
NLM> ## -----------------------------------------------------------------------

NLM> And put 
NLM> message_filter = /etc/exim/system_filter.txt
NLM> in /etc/exim/exim.conf

NLM> It seems to be working.  I've seen a couple of rejections get logged in
NLM> /var/log/exim/mainlog since I installed it an hour ago.  Why these
NLM> rejections don't go to /var/log/exim/rejectlog I don't know, but the
NLM> point is that the junk is not cluttering my mailbox.

NLM> noah




Best regards,
Игорь Ляпин
Международный Банк Развития
+7 095 7300850
+7 095 7300851 (fax)
 Игорь                            mailto:ant@ibd.ru
Reply to: