Re: Simple e-mail virus scanner
On Wed 20 Aug Olaf Dietsche wrote: I guess, you could integrate this in http://www.spamassassin.org. SpamAssassin already scans the email body for signs of spam, so it shouldn't be too hard, to add another regex. Although, I never did this myself. I just use SpamAssassin out of the box with procmail. A simple way to help with this in spamassassin is to increase the score for MICROSOFT_EXECUTABLE to something nice and high. Then anything with one of these attachments gets marked as spam. doug. -- 6973E2CF print 2C95 66AD 1596 37D2 41FC 609F 76C0 A4EC 6973 E2CF Dasypygal (da-si-PYE-gul), adjective - Having hairy buttocks. pgp0.pgp Description: PGP signature
Re: Simple e-mail virus scanner
On Wed 20 Aug Olaf Dietsche wrote: I guess, you could integrate this in http://www.spamassassin.org. SpamAssassin already scans the email body for signs of spam, so it shouldn't be too hard, to add another regex. Although, I never did this myself. I just use SpamAssassin out of the box with procmail. A simple way to help with this in spamassassin is to increase the score for MICROSOFT_EXECUTABLE to something nice and high. Then anything with one of these attachments gets marked as spam. doug. -- 6973E2CF print 2C95 66AD 1596 37D2 41FC 609F 76C0 A4EC 6973 E2CF Dasypygal (da-si-PYE-gul), adjective - Having hairy buttocks. pgp5gNrNgVpKf.pgp Description: PGP signature
Re: Simple e-mail virus scanner
## Guido Hennecke ([EMAIL PROTECTED]): With exim and RBLs it is possible, to not accept mails. Is there a way to use these filters with exim but not to send a bounce message? Use seen finish as action istead of fail In ftp://ftp.exim.org/pub/filter/system_filter.exim seen finish is used, but a bounce message will be generated. Oh. Yes. Leave out fail text ..., that generates the bounce and use seen finish alone. Regards, cmt -- Spare Space
Re: Simple e-mail virus scanner
## Guido Hennecke ([EMAIL PROTECTED]): Last modification about two years ago... As usual never ever take automated action based on a simple thing like filename or whatever. Sort them to a special mailbox and let a human look at it. Strongly agreed. It is much better to not accept the email. If you have strong criteria for filtering you can reject incoming mail. If all you have are assumptions about filenames of probale attachements (the discussed filter does not parse MIME, it just guesses!), I would not reject the mail. The optimum is rejecting unsolicited mails during the SMTP dialog, this way there will be no bounces to innocent bystanders (as caused by the latest epidemic disease). But with the exim filter, the email is accepted and after this a bounce mail will be send to the supposed sender. With exim and RBLs it is possible, to not accept mails. Is there a way to use these filters with exim but not to send a bounce message? Use seen finish as action istead of fail Regards, cmt -- Spare Space -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
On Thu, Aug 21, 2003 at 09:59:09PM +0200, Christoph Moench-Tegeder wrote: The optimum is rejecting unsolicited mails during the SMTP dialog, this way there will be no bounces to innocent bystanders (as caused by the latest epidemic disease). Not really. If the message goes through intermediate mx hosts a bounce will be sent to the spoofed sender. The only way to handle these virus messages is to drop them on the floor, but there are other reasons not to do that. I don't know that there's a good solution. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
## Pascal Weller ([EMAIL PROTECTED]): Isn't he saying that if i do the following: hey I get a lot of these document_all.pif recently this message here get filtered? It's not that easy. You need at leas Content-Type=something and a matching filename, given in MIME-style (name=...). The now well-known begin 0644 filename tricks with the correct filename will trigger the filter also. Nigel did his best with these regular expressions, but his filter is not a complete MIME-parser (parsing MIME with regexp only is a pain). So be aware of the limitations of this filter. This never happend to me using the example who was at the exim ftp-site for a while (can't find it anymore - who likes a copy of mine?) ftp://ftp.exim.org/pub/filter/ Last modification about two years ago... As usual never ever take automated action based on a simple thing like filename or whatever. Sort them to a special mailbox and let a human look at it. Strongly agreed. Regards, Christoph -- Spare Space
Re: Simple e-mail virus scanner
## Guido Hennecke ([EMAIL PROTECTED]): Last modification about two years ago... As usual never ever take automated action based on a simple thing like filename or whatever. Sort them to a special mailbox and let a human look at it. Strongly agreed. It is much better to not accept the email. If you have strong criteria for filtering you can reject incoming mail. If all you have are assumptions about filenames of probale attachements (the discussed filter does not parse MIME, it just guesses!), I would not reject the mail. The optimum is rejecting unsolicited mails during the SMTP dialog, this way there will be no bounces to innocent bystanders (as caused by the latest epidemic disease). But with the exim filter, the email is accepted and after this a bounce mail will be send to the supposed sender. With exim and RBLs it is possible, to not accept mails. Is there a way to use these filters with exim but not to send a bounce message? Use seen finish as action istead of fail Regards, cmt -- Spare Space
Re: Simple e-mail virus scanner
Am Thu, Aug 21, 2003 at 04:23:45PM -0400, Michael Stone sagte: On Thu, Aug 21, 2003 at 09:59:09PM +0200, Christoph Moench-Tegeder wrote: The optimum is rejecting unsolicited mails during the SMTP dialog, this way there will be no bounces to innocent bystanders (as caused by the latest epidemic disease). Not really. If the message goes through intermediate mx hosts a bounce will be sent to the spoofed sender. The only way to handle these virus messages is to drop them on the floor, but there are other reasons not to do that. I don't know that there's a good solution. skip the fail text part and you will never see them again. deliver [EMAIL PROTECTED] or seen save /home/admin/Mail/viruses is much better. (the second one will complaining about permissions if it's not your own .forward) gruss pascal
Re: Simple e-mail virus scanner
## Noah L. Meyerhans ([EMAIL PROTECTED]): On Tue, Aug 19, 2003 at 10:56:29PM +0200, Kjetil Kjernsmo wrote: So, I'm wondering, does anybody know about any such approach? After getting sick of all the virus crap in my inbox I installed the following in /etc/exim/system_filter.txt: This approach yields a high false positive rate. This can be a major annoyance on mailing lists, when you get unsubscribed because of a matching mail body. Your filter (which seems to be based on Nigel Metheringham's system_filter) does not parse MIME headers but just looks for filenames following Content-Type or begin. This filter was the main reason for me switching my email from my universities systems to my own system. Regards, cmt -- Spare Space -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
On Wed, Aug 20, 2003 at 08:26:53AM +0400, ? ? wrote: Hello Noah, Does the same approach could be use with sendmail ? Any examples? NLM On Tue, Aug 19, 2003 at 10:56:29PM +0200, Kjetil Kjernsmo wrote: So, I'm wondering, does anybody know about any such approach? NLM After getting sick of all the virus crap in my inbox I installed the NLM following in /etc/exim/system_filter.txt: [ snip nice long Content-Type: regexp for exim ] I think sendmail can do similar, but I am not sure where to enable it... for postfix though, have a look at man 5 pcre_table and regexp_table. Lars Ellenberg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
Hi, [EMAIL PROTECTED] writes: Does the same approach could be use with sendmail ? Any examples? I guess, you could integrate this in http://www.spamassassin.org. SpamAssassin already scans the email body for signs of spam, so it shouldn't be too hard, to add another regex. Although, I never did this myself. I just use SpamAssassin out of the box with procmail. There's already a sendmail milter at http://savannah.nongnu.org/projects/spamass-milt/ http://www.mimedefang.org/ is another milter for sendmail, which uses SpamAssassin. Regards, Olaf. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
On Tuesday 19 August 2003 23:42, Noah L. Meyerhans wrote: After getting sick of all the virus crap in my inbox I installed the Thanks, that looks interesting! I'm using the Debian Stable Exim packages too, so I guess this is something I can just cut'n'paste in! :-) And it seems I really need it now... My server is getting hammered badly, and when fetching my e-mail this morning, my POP client timed out three times before I got it... This filter will reject at SMTP-time, right? One question there? Who gets the bounce? I'm getting a whole lot of bounces, and I don't want to bother anyone else with bounces that go to the wrong person... Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wednesday 20 August 2003 10:52, Kjetil Kjernsmo wrote: On Tuesday 19 August 2003 23:42, Noah L. Meyerhans wrote: After getting sick of all the virus crap in my inbox I installed the Thanks, that looks interesting! I'm using the Debian Stable Exim packages too, so I guess this is something I can just cut'n'paste in! :-) And it seems I really need it now... My server is getting hammered badly, and when fetching my e-mail this morning, my POP client timed out three times before I got it... This filter will reject at SMTP-time, right? One question there? Who gets the bounce? I'm getting a whole lot of bounces, and I don't want to bother anyone else with bounces that go to the wrong person... The mail server that send the bounce. This is called a double bounce. Correct me if this is wrong ... - -- Yannick Van Osselaer Public Key: wwwkeys.us.pgp.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE/Q2D693+qyX+enAERAtxeAJ9zNtlCh21Oi78atKvFj+p/iEWCAQCgwPyY FVxoaF9iO/jKMk3kSVTlTvI= =vWFj -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
On Wed, Aug 20, 2003 at 08:44:08AM +0200, Christoph Moench-Tegeder wrote: So, I'm wondering, does anybody know about any such approach? After getting sick of all the virus crap in my inbox I installed the following in /etc/exim/system_filter.txt: This approach yields a high false positive rate. This can be a major annoyance on mailing lists, when you get unsubscribed because of a matching mail body. Your filter (which seems to be based on Nigel Metheringham's system_filter) does not parse MIME headers but just looks for filenames following Content-Type or begin. I agree that it is not optimal. However, as I don't run Windows I don't expect to see any legitimate attachments whose file names match the regex in that filter. Same goes for the few other people who use this mail server. I would be much more careful about installing this filter in a setting where dozens or hundreds of users may be affected by it. And yes, it was based on Nigel Metheringham's filter. I just copypasted the chunks that I used. noah pgp0.pgp Description: PGP signature
Re: Simple e-mail virus scanner
On Wednesday 20 August 2003 06:52 am, Yannick Van Osselaer wrote: On Wednesday 20 August 2003 10:52, Kjetil Kjernsmo wrote: On Tuesday 19 August 2003 23:42, Noah L. Meyerhans wrote: This filter will reject at SMTP-time, right? One question there? Who gets the bounce? I'm getting a whole lot of bounces, and I don't want to bother anyone else with bounces that go to the wrong person... The mail server that send the bounce. This is called a double bounce. Correct me if this is wrong ... Yes, it goes back to the server doing the sending. Its a double bounce when the bounce message itself bounces. I dont know how this virus is proigating itself, but I would imagine that if it does the sending itself, rejecting at the initial smtp session would not result in a double bounce. However, if it uses some relay (that it either set up itself, or found on a network, etc) and used forged headers, then it will go to some unsusspecting person (of whoever is in the headers). Jay -- Jay Kline http://www.slushpupie.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
## Noah L. Meyerhans ([EMAIL PROTECTED]): On Wed, Aug 20, 2003 at 08:44:08AM +0200, Christoph Moench-Tegeder wrote: So, I'm wondering, does anybody know about any such approach? After getting sick of all the virus crap in my inbox I installed the following in /etc/exim/system_filter.txt: This approach yields a high false positive rate. This can be a major annoyance on mailing lists, when you get unsubscribed because of a matching mail body. Your filter (which seems to be based on Nigel Metheringham's system_filter) does not parse MIME headers but just looks for filenames following Content-Type or begin. I agree that it is not optimal. However, as I don't run Windows I don't expect to see any legitimate attachments whose file names match the regex in that filter. I don't care for these files, but having to resubscribe to Bugtraq every few weeks got on my nerves. The trouble is that these regex filters might see attachments where no attachments are. If you can live with this, go on, it is the easiest and cheappest way to reduce the virii and worms in your inbox. Regards, cmt -- Spare Space -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
Am Wed, Aug 20, 2003 at 10:40:13AM -0400, Noah L. Meyerhans sagte: On Wed, Aug 20, 2003 at 08:44:08AM +0200, Christoph Moench-Tegeder wrote: So, I'm wondering, does anybody know about any such approach? After getting sick of all the virus crap in my inbox I installed the following in /etc/exim/system_filter.txt: This approach yields a high false positive rate. This can be a major annoyance on mailing lists, when you get unsubscribed because of a matching mail body. Your filter (which seems to be based on Nigel Metheringham's system_filter) does not parse MIME headers but just looks for filenames following Content-Type or begin. I agree that it is not optimal. However, as I don't run Windows I don't expect to see any legitimate attachments whose file names match the regex in that filter. Same goes for the few other people who use this mail server. I would be much more careful about installing this filter in a setting where dozens or hundreds of users may be affected by it. And yes, it was based on Nigel Metheringham's filter. I just copypasted the chunks that I used. noah Isn't he saying that if i do the following: hey I get a lot of these document_all.pif recently this message here get filtered? This never happend to me using the example who was at the exim ftp-site for a while (can't find it anymore - who likes a copy of mine?) I was bitten by the more generall approach of mailscanner (apt-cache show mailscanner) where every document1.sxw.pdf is treated as bad. So I had to turn this feature off. As usual never ever take automated action based on a simple thing like filename or whatever. Sort them to a special mailbox and let a human look at it. (me beeing very annoyed about all these there was a virus in your mail I get on top of the mess) These filters can fend off a lot of this stuff and are very cheap (in price and CPU-time). I can only recommend using it (the right way). gruss pascal -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
On Wednesday 20 August 2003 17:05, Jay Kline wrote: The mail server that send the bounce. This is called a double bounce. Correct me if this is wrong ... Yes, it goes back to the server doing the sending. Its a double bounce when the bounce message itself bounces. I dont know how this virus is proigating itself, but I would imagine that if it does the sending itself, rejecting at the initial smtp session would not result in a double bounce. However, if it uses some relay (that it either set up itself, or found on a network, etc) and used forged headers, then it will go to some unsusspecting person (of whoever is in the headers). I've examined a few messages I've got now, and none of them had been through any relays. In fact, they had all been sent directly from dialups or *DSL users. Here are the headers of an example: Return-path: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED] Received: from mail by pooh.kjernsmo.net with spam-scanned (Exim 3.35 #1 (Debian)) id 19pYJ2-0007EM-00 for [EMAIL PROTECTED]; Wed, 20 Aug 2003 21:07:40 +0200 Received: from ppp-67-67-194-5.dsl.austtx.swbell.net ([67.67.194.5] helo=WILLNCANDY) by pooh.kjernsmo.net with esmtp (Exim 3.35 #1 (Debian)) id 19pYIZ-0007E7-00 for [EMAIL PROTECTED]; Wed, 20 Aug 2003 21:07:14 +0200 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Wicked screensaver Date: Wed, 20 Aug 2003 14:07:06 --0500 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=_NextPart_000_000FCE03 Message-Id: [EMAIL PROTECTED] (BTW, don't send anything to the [EMAIL PROTECTED] address, ever. It is intended as a spamtrap... Unfortunately, viruses like this limit it's usefulness as spamtrap, that's one of the reasons I want to filter this before going to SpamAssassin) OK, so if I get this correctly, a double bounce would result in that I get the bounce, but that that's unlikely to occur. But it is still not clear to me who gets the bounce, it would be the the sender on the envelope, but that's [EMAIL PROTECTED] in this case, right? And that's something I wouldn't want to happen... Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
Kjetil Kjernsmo wrote: Dear all, I guess I'm not really looking for a security solution, but I guess you folks are the most likely to know, so I try here... In the last couple of hours, I've got about 25 100KB of the recent Sobig.f M$ virus, along with about the same number of bogus there was a virus in an e-mail you sent. It would be really great to be able to filter those out so that I don't need to see them, that is, get them in a folder I can clean out now and then. But I don't want to run a full-scale virus scanner, because for the time being, I really don't need any, as no e-mail is read on an MS machine here. I figured, most viruses should be able to detect by using simple regexs, right? So, a simple scanner that looks for a number of regexs available from a repository could do the trick...? Or perhaps use something like Vipul's Razor for this kind of stuff...? So, I'm wondering, does anybody know about any such approach? Cheers, Kjetil You may just want to bite the bullet and install amavisd-new. Even though you're not really worried about the viruses per se, it will filter out the crap. If Sobig.F is any indication, this may become more desirable. You may even just want to install amavis without a virus scanner (and just searching for banned filenames), if an AV program imposes too much of a load on your system. Amavis also is nice for catching executable files that are so common with current worms (our install actually was catching Sobig.F this way before the AV signatures were updated). If you're not reading email on an MS machine, I'm guessing it's fairly rare for you to recieve legit emails with .pif, .exe, or .bat attachments. The nice thing is, amavis will do a better job at catching the attachments then some of the ad hoc methods discussed earlier (see the config section on banned filenames). Another plus is that it can be configured to SMTP reject the message, instead of accepting and then bouncing. --Rich _ Rich Puhek ETN Systems Inc. 2125 1st Ave East Hibbing MN 55746 tel: 218.262.1130 email: [EMAIL PROTECTED] _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
## Noah L. Meyerhans ([EMAIL PROTECTED]): On Tue, Aug 19, 2003 at 10:56:29PM +0200, Kjetil Kjernsmo wrote: So, I'm wondering, does anybody know about any such approach? After getting sick of all the virus crap in my inbox I installed the following in /etc/exim/system_filter.txt: This approach yields a high false positive rate. This can be a major annoyance on mailing lists, when you get unsubscribed because of a matching mail body. Your filter (which seems to be based on Nigel Metheringham's system_filter) does not parse MIME headers but just looks for filenames following Content-Type or begin. This filter was the main reason for me switching my email from my universities systems to my own system. Regards, cmt -- Spare Space
Re: Simple e-mail virus scanner
On Wed, Aug 20, 2003 at 08:26:53AM +0400, ? ? wrote: Hello Noah, Does the same approach could be use with sendmail ? Any examples? NLM On Tue, Aug 19, 2003 at 10:56:29PM +0200, Kjetil Kjernsmo wrote: So, I'm wondering, does anybody know about any such approach? NLM After getting sick of all the virus crap in my inbox I installed the NLM following in /etc/exim/system_filter.txt: [ snip nice long Content-Type: regexp for exim ] I think sendmail can do similar, but I am not sure where to enable it... for postfix though, have a look at man 5 pcre_table and regexp_table. Lars Ellenberg
Re: Simple e-mail virus scanner
Hi, Игорь Ляпин [EMAIL PROTECTED] writes: Does the same approach could be use with sendmail ? Any examples? I guess, you could integrate this in http://www.spamassassin.org. SpamAssassin already scans the email body for signs of spam, so it shouldn't be too hard, to add another regex. Although, I never did this myself. I just use SpamAssassin out of the box with procmail. There's already a sendmail milter at http://savannah.nongnu.org/projects/spamass-milt/ http://www.mimedefang.org/ is another milter for sendmail, which uses SpamAssassin. Regards, Olaf.
Re: Simple e-mail virus scanner
On Tuesday 19 August 2003 23:42, Noah L. Meyerhans wrote: After getting sick of all the virus crap in my inbox I installed the Thanks, that looks interesting! I'm using the Debian Stable Exim packages too, so I guess this is something I can just cut'n'paste in! :-) And it seems I really need it now... My server is getting hammered badly, and when fetching my e-mail this morning, my POP client timed out three times before I got it... This filter will reject at SMTP-time, right? One question there? Who gets the bounce? I'm getting a whole lot of bounces, and I don't want to bother anyone else with bounces that go to the wrong person... Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Simple e-mail virus scanner
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wednesday 20 August 2003 10:52, Kjetil Kjernsmo wrote: On Tuesday 19 August 2003 23:42, Noah L. Meyerhans wrote: After getting sick of all the virus crap in my inbox I installed the Thanks, that looks interesting! I'm using the Debian Stable Exim packages too, so I guess this is something I can just cut'n'paste in! :-) And it seems I really need it now... My server is getting hammered badly, and when fetching my e-mail this morning, my POP client timed out three times before I got it... This filter will reject at SMTP-time, right? One question there? Who gets the bounce? I'm getting a whole lot of bounces, and I don't want to bother anyone else with bounces that go to the wrong person... The mail server that send the bounce. This is called a double bounce. Correct me if this is wrong ... - -- Yannick Van Osselaer Public Key: wwwkeys.us.pgp.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE/Q2D693+qyX+enAERAtxeAJ9zNtlCh21Oi78atKvFj+p/iEWCAQCgwPyY FVxoaF9iO/jKMk3kSVTlTvI= =vWFj -END PGP SIGNATURE-
Re: Simple e-mail virus scanner
On Wed, Aug 20, 2003 at 08:44:08AM +0200, Christoph Moench-Tegeder wrote: So, I'm wondering, does anybody know about any such approach? After getting sick of all the virus crap in my inbox I installed the following in /etc/exim/system_filter.txt: This approach yields a high false positive rate. This can be a major annoyance on mailing lists, when you get unsubscribed because of a matching mail body. Your filter (which seems to be based on Nigel Metheringham's system_filter) does not parse MIME headers but just looks for filenames following Content-Type or begin. I agree that it is not optimal. However, as I don't run Windows I don't expect to see any legitimate attachments whose file names match the regex in that filter. Same goes for the few other people who use this mail server. I would be much more careful about installing this filter in a setting where dozens or hundreds of users may be affected by it. And yes, it was based on Nigel Metheringham's filter. I just copypasted the chunks that I used. noah pgplDJY1ZeoHP.pgp Description: PGP signature
Re: Simple e-mail virus scanner
On Wednesday 20 August 2003 06:52 am, Yannick Van Osselaer wrote: On Wednesday 20 August 2003 10:52, Kjetil Kjernsmo wrote: On Tuesday 19 August 2003 23:42, Noah L. Meyerhans wrote: This filter will reject at SMTP-time, right? One question there? Who gets the bounce? I'm getting a whole lot of bounces, and I don't want to bother anyone else with bounces that go to the wrong person... The mail server that send the bounce. This is called a double bounce. Correct me if this is wrong ... Yes, it goes back to the server doing the sending. Its a double bounce when the bounce message itself bounces. I dont know how this virus is proigating itself, but I would imagine that if it does the sending itself, rejecting at the initial smtp session would not result in a double bounce. However, if it uses some relay (that it either set up itself, or found on a network, etc) and used forged headers, then it will go to some unsusspecting person (of whoever is in the headers). Jay -- Jay Kline http://www.slushpupie.com/
Re: Simple e-mail virus scanner
## Noah L. Meyerhans ([EMAIL PROTECTED]): On Wed, Aug 20, 2003 at 08:44:08AM +0200, Christoph Moench-Tegeder wrote: So, I'm wondering, does anybody know about any such approach? After getting sick of all the virus crap in my inbox I installed the following in /etc/exim/system_filter.txt: This approach yields a high false positive rate. This can be a major annoyance on mailing lists, when you get unsubscribed because of a matching mail body. Your filter (which seems to be based on Nigel Metheringham's system_filter) does not parse MIME headers but just looks for filenames following Content-Type or begin. I agree that it is not optimal. However, as I don't run Windows I don't expect to see any legitimate attachments whose file names match the regex in that filter. I don't care for these files, but having to resubscribe to Bugtraq every few weeks got on my nerves. The trouble is that these regex filters might see attachments where no attachments are. If you can live with this, go on, it is the easiest and cheappest way to reduce the virii and worms in your inbox. Regards, cmt -- Spare Space
Re: Simple e-mail virus scanner
Am Wed, Aug 20, 2003 at 10:40:13AM -0400, Noah L. Meyerhans sagte: On Wed, Aug 20, 2003 at 08:44:08AM +0200, Christoph Moench-Tegeder wrote: So, I'm wondering, does anybody know about any such approach? After getting sick of all the virus crap in my inbox I installed the following in /etc/exim/system_filter.txt: This approach yields a high false positive rate. This can be a major annoyance on mailing lists, when you get unsubscribed because of a matching mail body. Your filter (which seems to be based on Nigel Metheringham's system_filter) does not parse MIME headers but just looks for filenames following Content-Type or begin. I agree that it is not optimal. However, as I don't run Windows I don't expect to see any legitimate attachments whose file names match the regex in that filter. Same goes for the few other people who use this mail server. I would be much more careful about installing this filter in a setting where dozens or hundreds of users may be affected by it. And yes, it was based on Nigel Metheringham's filter. I just copypasted the chunks that I used. noah Isn't he saying that if i do the following: hey I get a lot of these document_all.pif recently this message here get filtered? This never happend to me using the example who was at the exim ftp-site for a while (can't find it anymore - who likes a copy of mine?) I was bitten by the more generall approach of mailscanner (apt-cache show mailscanner) where every document1.sxw.pdf is treated as bad. So I had to turn this feature off. As usual never ever take automated action based on a simple thing like filename or whatever. Sort them to a special mailbox and let a human look at it. (me beeing very annoyed about all these there was a virus in your mail I get on top of the mess) These filters can fend off a lot of this stuff and are very cheap (in price and CPU-time). I can only recommend using it (the right way). gruss pascal
Re: Simple e-mail virus scanner
On Wednesday 20 August 2003 17:05, Jay Kline wrote: The mail server that send the bounce. This is called a double bounce. Correct me if this is wrong ... Yes, it goes back to the server doing the sending. Its a double bounce when the bounce message itself bounces. I dont know how this virus is proigating itself, but I would imagine that if it does the sending itself, rejecting at the initial smtp session would not result in a double bounce. However, if it uses some relay (that it either set up itself, or found on a network, etc) and used forged headers, then it will go to some unsusspecting person (of whoever is in the headers). I've examined a few messages I've got now, and none of them had been through any relays. In fact, they had all been sent directly from dialups or *DSL users. Here are the headers of an example: Return-path: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED] Received: from mail by pooh.kjernsmo.net with spam-scanned (Exim 3.35 #1 (Debian)) id 19pYJ2-0007EM-00 for [EMAIL PROTECTED]; Wed, 20 Aug 2003 21:07:40 +0200 Received: from ppp-67-67-194-5.dsl.austtx.swbell.net ([67.67.194.5] helo=WILLNCANDY) by pooh.kjernsmo.net with esmtp (Exim 3.35 #1 (Debian)) id 19pYIZ-0007E7-00 for [EMAIL PROTECTED]; Wed, 20 Aug 2003 21:07:14 +0200 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Wicked screensaver Date: Wed, 20 Aug 2003 14:07:06 --0500 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=_NextPart_000_000FCE03 Message-Id: [EMAIL PROTECTED] (BTW, don't send anything to the [EMAIL PROTECTED] address, ever. It is intended as a spamtrap... Unfortunately, viruses like this limit it's usefulness as spamtrap, that's one of the reasons I want to filter this before going to SpamAssassin) OK, so if I get this correctly, a double bounce would result in that I get the bounce, but that that's unlikely to occur. But it is still not clear to me who gets the bounce, it would be the the sender on the envelope, but that's [EMAIL PROTECTED] in this case, right? And that's something I wouldn't want to happen... Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Simple e-mail virus scanner
Kjetil Kjernsmo wrote: Dear all, I guess I'm not really looking for a security solution, but I guess you folks are the most likely to know, so I try here... In the last couple of hours, I've got about 25 100KB of the recent Sobig.f M$ virus, along with about the same number of bogus there was a virus in an e-mail you sent. It would be really great to be able to filter those out so that I don't need to see them, that is, get them in a folder I can clean out now and then. But I don't want to run a full-scale virus scanner, because for the time being, I really don't need any, as no e-mail is read on an MS machine here. I figured, most viruses should be able to detect by using simple regexs, right? So, a simple scanner that looks for a number of regexs available from a repository could do the trick...? Or perhaps use something like Vipul's Razor for this kind of stuff...? So, I'm wondering, does anybody know about any such approach? Cheers, Kjetil You may just want to bite the bullet and install amavisd-new. Even though you're not really worried about the viruses per se, it will filter out the crap. If Sobig.F is any indication, this may become more desirable. You may even just want to install amavis without a virus scanner (and just searching for banned filenames), if an AV program imposes too much of a load on your system. Amavis also is nice for catching executable files that are so common with current worms (our install actually was catching Sobig.F this way before the AV signatures were updated). If you're not reading email on an MS machine, I'm guessing it's fairly rare for you to recieve legit emails with .pif, .exe, or .bat attachments. The nice thing is, amavis will do a better job at catching the attachments then some of the ad hoc methods discussed earlier (see the config section on banned filenames). Another plus is that it can be configured to SMTP reject the message, instead of accepting and then bouncing. --Rich _ Rich Puhek ETN Systems Inc. 2125 1st Ave East Hibbing MN 55746 tel: 218.262.1130 email: [EMAIL PROTECTED] _
Re: Simple e-mail virus scanner
On Tue, Aug 19, 2003 at 10:56:29PM +0200, Kjetil Kjernsmo wrote: So, I'm wondering, does anybody know about any such approach? After getting sick of all the virus crap in my inbox I installed the following in /etc/exim/system_filter.txt: ## --- # Attempt to catch embedded VBS attachments # in emails. These were used as the basis for # the ILOVEYOU virus and its variants - many many varients # Quoted filename - [body_quoted_fn_match] if $message_body matches (?:Content-(?:Type:(?s*)[w-]+/[w-]+|Dispo sition:(?s*)attachment);(?s*)(?:file)?name=|begin(?s+)[0-7]{3,4}( ?s+))(\[^\]+.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[ fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\)[ s;] then fail text This message has been rejected because it has\n\ a potentially executable attachment $1\n\ This form of attachment has been used by\n\ recent viruses or other malware.\n\ If you meant to send this file then please\n\ package it up as a zip file and resend it. seen finish endif # same again using unquoted filename [body_unquoted_fn_match] if $message_body matches (?:Content-(?:Type:(?s*)[w-]+/[w-]+|Dispo sition:(?s*)attachment);(?s*)(?:file)?name=|begin(?s+)[0-7]{3,4}( ?s+))(S+.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs ]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[ s;] then fail text This message has been rejected because it has\n\ a potentially executable attachment $1\n\ This form of attachment has been used by\n\ recent viruses or other malware.\n\ If you meant to send this file then please\n\ package it up as a zip file and resend it. seen finish endif ## --- And put message_filter = /etc/exim/system_filter.txt in /etc/exim/exim.conf It seems to be working. I've seen a couple of rejections get logged in /var/log/exim/mainlog since I installed it an hour ago. Why these rejections don't go to /var/log/exim/rejectlog I don't know, but the point is that the junk is not cluttering my mailbox. noah pgp0.pgp Description: PGP signature