On Sat, May 04, 2002 at 09:25:09AM -0500, Nathan Neulinger wrote: | > > If you want to filter these, try something that's designed | > > for the purpose. | > | > Correction: "If you want to filter [viruses], try something | > that's designed for the purpose." | > | > I feel that a rule to catch .exe attachments would be great. | > However, if this gets taken as far as blocking .vbs files, | > then you're treading into the realm of viruses. | | I personally couldn't care less about doing generalized virus scanning. | If you're unfortunate enough to use windows and don't bother to apply | patches or a decent virus scanner on your client, that's your problem.
Ditto.
| I am however concerned about the constant load on my mail server dealing
| with the worm traffic from these klez/melissa/hybrid/etc. infections.
| Those are "Unsolicited Bulk EMail" in my book. The fact that they are a
| virus is really a side issue.
Right.
| I would not be interested in putting in rules for catching every pissant
| windows virus out there, however, if there were a provided set of rules
| (i.e. in a contrib section or similar) that would catch the
| headline-making-windows-worms stuff, that would be a great improvement.
| (I understand the reasons for not making SA into a general purpose virus
| scanner - and agree with them. Most of us I'd say are not asking for a
| general purpose one.)
How about
ftp://ftp.exim.org/pub/filter/system_filter.exim
?
(for exim users -- have the server fail the message for any executable
content)
I added my own rule to check the message body (no mime-parsing)
instead of the Content-Type: header since klez usually comes as an
attachment :
if
"$message_body $message_body_end"
matches "Content-.*audio/x-wav.*\.(?:pif)"
or
"$message_body $message_body_end"
matches "Content-.*audio/x-mid.*\.(?:scr)"
then
fail "<<(sender: $sender_address) (From: $h_From:)>> \
This message has been rejected because the body contains \n\
text that appears to be MIME Content-Type: headers used by KLEZ.\n\
If you intended to send the file then please gzip it and resend it."
seen finish
endif
I bet it wouldn't be too hard for a C programmer to put that test in
the local_scan() function or to make a psuedo-scanner for exiscan so
the message can be rejected at SMTP time (rather than accepting and
then generating a bounce).
-D
--
"He is no fool who gives up what he cannot keep to gain what he cannot lose."
--Jim Elliot
GnuPG key : http://dman.ddts.net/~dman/public_key.gpg
msg04612/pgp00000.pgp
Description: PGP signature
