On Thu, May 04, 2000 at 11:02:51PM +0200, Cherubini Enrico wrote:
> Ciao,
> Thu, May 04, 2000 at 10:56:13PM +0200, Ralf G. R. Bergs wrote:
>
> > ========= exim.conf ==================
> > message_filter = /etc/exim.filter
> > ========= exim.filter =================
> >
> > # Exim filter
> >
> > if ($h_subject: is "ILOVEYOU" or $h_subject: is "I LOVE YOU") and not
> > error_mess
>
> what if someone change subject ? I can't understand why we should believe
> the virus can be only in email with these subject (or like the penpal friend
> one)
Yep, and I've now seen it with a new subject ("Fwd: Joke") and the name
of the attachment changed to 'Very Funny.vbs'.
> Wouldn't be better do scan email in body searching for fingerprint of macros
> ? maybe it can be of high weight to scan all email, but if you want to do
> something, it's better to do it at the best.
This seems to work fine and dandy:
:0 B
* ^Content-Disposition: attachment;
* filename=".*\.vbs"
{
:0 fbw
|/bin/sed -e 's/\(name=".*\.vbs\)"/\1.txt"/'
}
That converts all VBScript into .txt. (well, my actual rule is a bit
more complex, since I also add in an X-Security header and a copy of it
just to make sure things work).
--
Brian Moore | Of course vi is God's editor.
Sysadmin, C/Perl Hacker | If He used Emacs, He'd still be waiting
Usenet Vandal | for it to load on the seventh day.
Netscum, Bane of Elves.
