Re: Exim Subject rejection, (* **** ***)

2000-05-08 Thread Roger Abrahamsson 

Anyone know if you can do this in sendmail and if so, how?

/Roger Abrahamsson

On Mon, 8 May 2000, Peter Gervai wrote:

> On Sun, May 07, 2000 at 12:35:38PM -0700, Kevin wrote:
> > How hard would it be to filter *.vbs attachments out.  It was fairly simple
> > to do with NT based MDaemon, but I'm not sure how to go about it with exim
> > or postfix.
> 
> variation of an exim global filter:
> 
> if $message_body: contains ".vbs\"" or
>$message_body: contains ".wsc\"" or
>$message_body: contains ".jse\"" or
>$message_body: contains ".js\"" or
>$message_body: contains ".vbe\"" then
>   headers add "X-Virus-Alert: WARNING possible Visual Basic/JS Trojan 
> Attachment\n"
>   deliver "[EMAIL PROTECTED]"
> endif
> 
> ===+=
>Peter "grin" Gervai | "It  was  like  a visit  by  Don Corleone. I
> Linux root at Cory-Net Ltd.|expected to find a bloody computer monitor in
>Szekszard, Hungary  |my bed the next day."  --  Mark Andreessen of
>  [EMAIL PROTECTED] on #linux.hu  |Netscape regarding  the visit from 
> microsoft.
> 
> 
> --  
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

-
Roger Abrahamsson, Sys/Net Admin
Obbit AB
Radhusespl.17D, S-90328 Umea, Sweden
Phone: (+46)(0)90 133310Fax:(+46)(0)90 133370
-

Re: Exim Subject rejection, (* **** ***)

2000-05-08 Thread Peter Gervai 
On Sun, May 07, 2000 at 12:35:38PM -0700, Kevin wrote:
> How hard would it be to filter *.vbs attachments out.  It was fairly simple
> to do with NT based MDaemon, but I'm not sure how to go about it with exim
> or postfix.

variation of an exim global filter:

if $message_body: contains ".vbs\"" or
   $message_body: contains ".wsc\"" or
   $message_body: contains ".jse\"" or
   $message_body: contains ".js\"" or
   $message_body: contains ".vbe\"" then
  headers add "X-Virus-Alert: WARNING possible Visual Basic/JS Trojan 
Attachment\n"
  deliver "[EMAIL PROTECTED]"
endif

===+=
   Peter "grin" Gervai | "It  was  like  a visit  by  Don Corleone. I
Linux root at Cory-Net Ltd.|expected to find a bloody computer monitor in
   Szekszard, Hungary  |my bed the next day."  --  Mark Andreessen of
 [EMAIL PROTECTED] on #linux.hu  |Netscape regarding  the visit from microsoft.

Re: Exim Subject rejection, (* **** ***)

2000-05-07 Thread Kevin 
How hard would it be to filter *.vbs attachments out.  It was fairly simple
to do with NT based MDaemon, but I'm not sure how to go about it with exim
or postfix.


- Original Message -
From: "Russell Coker" <[EMAIL PROTECTED]>
To: "Cherubini Enrico" <[EMAIL PROTECTED]>; "Ralf G. R. Bergs"
<[EMAIL PROTECTED]>
Cc: ; 
Sent: Sunday, May 07, 2000 6:17 AM
Subject: Re: Exim Subject rejection, (*  ***)


On Thu, 04 May 2000, Cherubini Enrico wrote:
>> if ($h_subject: is "ILOVEYOU" or $h_subject: is "I LOVE YOU") and not
>> error_mess
>
>what if someone change subject ? I can't understand why we should believe
>the virus can be only in email with these subject (or like the penpal
friend
>one)
>Wouldn't be better do scan email in body searching for fingerprint of
macros
>? maybe it can be of high weight to scan all email, but if you want to do
>something, it's better to do it at the best.

Another issue of course is that this subject filter will really suck when St
Valentine's day comes around.

--
My current location - X marks the spot.
X
X
X


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]

Re: Exim Subject rejection, (* **** ***)

2000-05-07 Thread Russell Coker 
On Thu, 04 May 2000, Cherubini Enrico wrote:
>> if ($h_subject: is "ILOVEYOU" or $h_subject: is "I LOVE YOU") and not 
>> error_mess
>
>what if someone change subject ? I can't understand why we should believe
>the virus can be only in email with these subject (or like the penpal friend
>one)
>Wouldn't be better do scan email in body searching for fingerprint of macros
>? maybe it can be of high weight to scan all email, but if you want to do
>something, it's better to do it at the best.

Another issue of course is that this subject filter will really suck when St
Valentine's day comes around.

-- 
My current location - X marks the spot.
X
X
X

Re: Exim Subject rejection, (* **** ***)

2000-05-05 Thread Wade Burgett 
I added  some text filters to stop the luv stuff (in case u have filters :)  I
am looking  for a way  to test for the presense of attachments with exim so
I can maybe separate them from mail or at least wrap a big nasty warning around
the email.  I'll start playing with this after I get the rest of the mess
cleaned at a couple places, but if someone has some of this done already I'd
love to see a copy.  Thanks.

Thanks.

Wade

Cherubini Enrico wrote:

> Ciao,
>  Thu, May 04, 2000 at 10:56:13PM +0200, Ralf G. R. Bergs wrote:
>
> > = exim.conf ==
> > message_filter = /etc/exim.filter
> > = exim.filter =
> >
> > # Exim filter
> >
> > if ($h_subject: is "ILOVEYOU" or $h_subject: is "I LOVE YOU") and not
> > error_mess
>
> what if someone change subject ? I can't understand why we should believe
> the virus can be only in email with these subject (or like the penpal friend
> one)
> Wouldn't be better do scan email in body searching for fingerprint of macros
> ? maybe it can be of high weight to scan all email, but if you want to do
> something, it's better to do it at the best.
>
> IMHO.
>
> --
>
> Bye
> ++ Maybe you are searching for freedom
> | Enrico |Maybe you can't find it anywhere
> ++  I found it in linux...
> --
> The ultimate result is that some innovations that would truly benefit
> consumers never occur for the sole reason that they do not coincide with
> Microsoft's self-interest.
> -- Judge Thomas Penfield Jackson, U.S. District Judge
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Exim Subject rejection, (* **** ***)

2000-05-04 Thread Cherubini Enrico 
Ciao,
 Thu, May 04, 2000 at 10:56:13PM +0200, Ralf G. R. Bergs wrote:

> = exim.conf ==
> message_filter = /etc/exim.filter
> = exim.filter =
> 
> # Exim filter
> 
> if ($h_subject: is "ILOVEYOU" or $h_subject: is "I LOVE YOU") and not 
> error_mess

what if someone change subject ? I can't understand why we should believe
the virus can be only in email with these subject (or like the penpal friend
one)
Wouldn't be better do scan email in body searching for fingerprint of macros
? maybe it can be of high weight to scan all email, but if you want to do
something, it's better to do it at the best.

IMHO.

-- 

Bye
++ Maybe you are searching for freedom
| Enrico |Maybe you can't find it anywhere
++  I found it in linux...
--
The ultimate result is that some innovations that would truly benefit
consumers never occur for the sole reason that they do not coincide with
Microsoft's self-interest.
-- Judge Thomas Penfield Jackson, U.S. District Judge

RE: Exim Subject rejection, (* **** ***)

2000-05-04 Thread Ralf G. R. Bergs 
On Thu, 04 May 2000 15:24:35 -0400 (EDT), Paul Kallstrom wrote:

>It looks like the only system filtering that is
>functional under exim, is sender based.
>
>Since I need to filter by subject, it looks like it's back to sendmail.

WRONG!!

= exim.conf ==

message_filter = /etc/exim.filter


= exim.filter =

# Exim filter

if ($h_subject: is "ILOVEYOU" or $h_subject: is "I LOVE YOU") and not 
error_mess
age
then fail text "This message looks like a virus."
endif

=== 8x 0

No need to use crappy Sendmail for this simple stuff.


-- 
Sign the EU petition against SPAM:  L I N U X   .~.
http://www.politik-digital.de/spam/The  Choice  /V\
of a  GNU  /( )\
   Generation  ^^-^^

RE: Exim Subject rejection, (* **** ***)

2000-05-04 Thread Paul Kallstrom 
Nevermind, I suppose. It looks like the only system filtering that is
functional under exim, is sender based.

Since I need to filter by subject, it looks like it's back to sendmail. What a
time to find THAT out. We have been lucky so far Only one recipient, and
that one was warned in advance.



Paul



On 04-May-2000 Paul Kallstrom wrote:
> I hate to ask an unresearched question here, but with the current "I LOVE
> YOU"
> trojan, I'm kinda inna hurry.
> 
> How do I tell exim to reject all email with that subject?
> 
> 
> Thanks.
> 
> Paul
> 
> -- 
> --
> E-Mail: Paul Kallstrom <[EMAIL PROTECTED]>
> Date: 04-May-2000
> Time: 10:49:26
> 
> Debian/GNU Linux (Potato) & XFMail
> --
> Random Linuxism: Computers are not intelligent.  They only think they are.
> 
> ---
> -BEGIN PGP PUBLIC KEY BLOCK-
> Version: 2.6.3a
> 
> mQCNAziz+lIAAAEEAMFaz28Wb0tb53nl/sG7AvGQSMNvGuqhHS+0beHzjNWRFXKT
> iRUZ2HjT+0WUfkOGOd9N0MoDKQ/TXCPvx4cUtm7lDnX9GNIBdeP5Wpy6FS5XDJfL
> 49kktHtWZbshC3L9E0HdvxP0NGrpGEh1JxY5PL22eWZ9VycWlp9RNX/8WadlAAUT
> tChQYXVsIEthbGxzdHJvbSA8cGF1bEBzb2Z0cmFjYW1lcmljYS5jb20+iQCVAwUQ
> OLP6Up9RNX/8WadlAQGjogP/bB0uiqGYWTkyo5/vGeG6dhwDhU2Ua2RF0Yn/pJbg
> TG2o9WLfNzD4xlBP+dXh9bQ2LAR0zw2ZkFu8l78uqxU4YykiDhnADYJaIOWNXutB
> lxTqN817w020tMQcEcChUBT40WrqscHFmStVV4kuPft744JWfUB4h5BIZCFaDZw+
> zgA=
> =er8j
> -END PGP PUBLIC KEY BLOCK-
> 
> 
> --  
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

-- 
--
E-Mail: Paul Kallstrom <[EMAIL PROTECTED]>
Date: 04-May-2000
Time: 15:04:05

Debian/GNU Linux (Potato) & XFMail
--
Random Linuxism: We are using Linux daily to UP our productivity - so UP yours!
-- Adapted from Pat Paulsen by Joe Sloan

---
-BEGIN PGP PUBLIC KEY BLOCK-
Version: 2.6.3a

mQCNAziz+lIAAAEEAMFaz28Wb0tb53nl/sG7AvGQSMNvGuqhHS+0beHzjNWRFXKT
iRUZ2HjT+0WUfkOGOd9N0MoDKQ/TXCPvx4cUtm7lDnX9GNIBdeP5Wpy6FS5XDJfL
49kktHtWZbshC3L9E0HdvxP0NGrpGEh1JxY5PL22eWZ9VycWlp9RNX/8WadlAAUT
tChQYXVsIEthbGxzdHJvbSA8cGF1bEBzb2Z0cmFjYW1lcmljYS5jb20+iQCVAwUQ
OLP6Up9RNX/8WadlAQGjogP/bB0uiqGYWTkyo5/vGeG6dhwDhU2Ua2RF0Yn/pJbg
TG2o9WLfNzD4xlBP+dXh9bQ2LAR0zw2ZkFu8l78uqxU4YykiDhnADYJaIOWNXutB
lxTqN817w020tMQcEcChUBT40WrqscHFmStVV4kuPft744JWfUB4h5BIZCFaDZw+
zgA=
=er8j
-END PGP PUBLIC KEY BLOCK-

RE: Exim Subject rejection, (I LOVE YOU)

2000-05-04 Thread Paul Kallstrom 
Nevermind, I suppose. It looks like the only system filtering that is
functional under exim, is sender based.

Since I need to filter by subject, it looks like it's back to sendmail. What a
time to find THAT out. We have been lucky so far Only one recipient, and
that one was warned in advance.



Paul



On 04-May-2000 Paul Kallstrom wrote:
> I hate to ask an unresearched question here, but with the current "I LOVE
> YOU"
> trojan, I'm kinda inna hurry.
> 
> How do I tell exim to reject all email with that subject?
> 
> 
> Thanks.
> 
> Paul
> 
> -- 
> --
> E-Mail: Paul Kallstrom <[EMAIL PROTECTED]>
> Date: 04-May-2000
> Time: 10:49:26
> 
> Debian/GNU Linux (Potato) & XFMail
> --
> Random Linuxism: Computers are not intelligent.  They only think they are.
> 
> ---
> -BEGIN PGP PUBLIC KEY BLOCK-
> Version: 2.6.3a
> 
> mQCNAziz+lIAAAEEAMFaz28Wb0tb53nl/sG7AvGQSMNvGuqhHS+0beHzjNWRFXKT
> iRUZ2HjT+0WUfkOGOd9N0MoDKQ/TXCPvx4cUtm7lDnX9GNIBdeP5Wpy6FS5XDJfL
> 49kktHtWZbshC3L9E0HdvxP0NGrpGEh1JxY5PL22eWZ9VycWlp9RNX/8WadlAAUT
> tChQYXVsIEthbGxzdHJvbSA8cGF1bEBzb2Z0cmFjYW1lcmljYS5jb20+iQCVAwUQ
> OLP6Up9RNX/8WadlAQGjogP/bB0uiqGYWTkyo5/vGeG6dhwDhU2Ua2RF0Yn/pJbg
> TG2o9WLfNzD4xlBP+dXh9bQ2LAR0zw2ZkFu8l78uqxU4YykiDhnADYJaIOWNXutB
> lxTqN817w020tMQcEcChUBT40WrqscHFmStVV4kuPft744JWfUB4h5BIZCFaDZw+
> zgA=
> =er8j
> -END PGP PUBLIC KEY BLOCK-
> 
> 
> --  
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

-- 
--
E-Mail: Paul Kallstrom <[EMAIL PROTECTED]>
Date: 04-May-2000
Time: 15:04:05

Debian/GNU Linux (Potato) & XFMail
--
Random Linuxism: We are using Linux daily to UP our productivity - so UP yours!
-- Adapted from Pat Paulsen by Joe Sloan

---
-BEGIN PGP PUBLIC KEY BLOCK-
Version: 2.6.3a

mQCNAziz+lIAAAEEAMFaz28Wb0tb53nl/sG7AvGQSMNvGuqhHS+0beHzjNWRFXKT
iRUZ2HjT+0WUfkOGOd9N0MoDKQ/TXCPvx4cUtm7lDnX9GNIBdeP5Wpy6FS5XDJfL
49kktHtWZbshC3L9E0HdvxP0NGrpGEh1JxY5PL22eWZ9VycWlp9RNX/8WadlAAUT
tChQYXVsIEthbGxzdHJvbSA8cGF1bEBzb2Z0cmFjYW1lcmljYS5jb20+iQCVAwUQ
OLP6Up9RNX/8WadlAQGjogP/bB0uiqGYWTkyo5/vGeG6dhwDhU2Ua2RF0Yn/pJbg
TG2o9WLfNzD4xlBP+dXh9bQ2LAR0zw2ZkFu8l78uqxU4YykiDhnADYJaIOWNXutB
lxTqN817w020tMQcEcChUBT40WrqscHFmStVV4kuPft744JWfUB4h5BIZCFaDZw+
zgA=
=er8j
-END PGP PUBLIC KEY BLOCK-

Exim Subject rejection, (I LOVE YOU)

2000-05-04 Thread Paul Kallstrom 
I hate to ask an unresearched question here, but with the current "I LOVE YOU"
trojan, I'm kinda inna hurry.

How do I tell exim to reject all email with that subject?


Thanks.

Paul

-- 
--
E-Mail: Paul Kallstrom <[EMAIL PROTECTED]>
Date: 04-May-2000
Time: 10:49:26

Debian/GNU Linux (Potato) & XFMail
--
Random Linuxism: Computers are not intelligent.  They only think they are.

---
-BEGIN PGP PUBLIC KEY BLOCK-
Version: 2.6.3a

mQCNAziz+lIAAAEEAMFaz28Wb0tb53nl/sG7AvGQSMNvGuqhHS+0beHzjNWRFXKT
iRUZ2HjT+0WUfkOGOd9N0MoDKQ/TXCPvx4cUtm7lDnX9GNIBdeP5Wpy6FS5XDJfL
49kktHtWZbshC3L9E0HdvxP0NGrpGEh1JxY5PL22eWZ9VycWlp9RNX/8WadlAAUT
tChQYXVsIEthbGxzdHJvbSA8cGF1bEBzb2Z0cmFjYW1lcmljYS5jb20+iQCVAwUQ
OLP6Up9RNX/8WadlAQGjogP/bB0uiqGYWTkyo5/vGeG6dhwDhU2Ua2RF0Yn/pJbg
TG2o9WLfNzD4xlBP+dXh9bQ2LAR0zw2ZkFu8l78uqxU4YykiDhnADYJaIOWNXutB
lxTqN817w020tMQcEcChUBT40WrqscHFmStVV4kuPft744JWfUB4h5BIZCFaDZw+
zgA=
=er8j
-END PGP PUBLIC KEY BLOCK-