Re: PERL filtering...
on 5/5/00 10:32 AM, John W. Lemons III had the thought: > I have recently deployed a freeware procmail script that does a very good > job filtering out various forms or malicious mail. So far it has caught all > the ILOVEYOU mail and a few of the variants we have seen. Since I use QMail > on my own machine, can procmail scripts be used with QMail? Most of the > script uses some well crafted PERL code, so if not, it could probably be > shoe-horned into a form that QMail will utilize. Any suggestions? You are better off using something like scan4virus at the queue level. http://www.geocities.com/jhaar/scan4virus/ While it is probably not advised, I am using it without the QMAILQUEUE patch. Instead, the scan4virus program receives the mail, scans it, then passes it to my renamed qmail-queue program. Right now I deny all .vbs attachments. Yes, this is rather draconian and there might be a 1 in 100,000,000,000,000 chance that someone really needs to send a .vbs attachment. Those are the breaks... Pat -- Freestyle Interactive | http://www.freestyleinteractive.com | 415.778.0610
Re: PERL filtering...
Hi, > You are better off using something like scan4virus at the queue level. > http://www.geocities.com/jhaar/scan4virus/ setuping scan4vuris I have this error Cannot find unzip on your system! 2 stupid questions: - where can I find it out for linux ? - do I need to use McAfee with ? if yes, whch version ? an url ? thanks Octave Amicalement, oCtAvE Connexion terminée par expiration du délai d'attente
Re: PERL filtering...
on 5/5/00 10:55 AM, octave klaba had the thought: > setuping scan4vuris I have this error > > Cannot find unzip on your system! > > 2 stupid questions: > - where can I find it out for linux ? http://freshmeat.net > - do I need to use McAfee with ? if yes, whch version ? an url ? No, but should have at least one kind of scanner. It is easier if you use one that is already tested and on the list. Or you can simply use the built in perl scanner. Freshmeat also has links for cirus scanners. Pat -- Freestyle Interactive | http://www.freestyleinteractive.com | 415.778.0610
Re: PERL filtering...
On Fri, May 05, 2000 at 02:32:10PM -0500, John W. Lemons III wrote: [A whole pile of extensions cut] > Most of these will never need to be sent or received by a user and all can > contain malicious code. Any other suggestions? Yes. Fix the mail client or switch to one that does not execute untrusted code without prompting. Neil -- Real programmers don't make mistrakes
RE: PERL filtering...
> Consider filtering the following as well: > > *.reg Regedit will inject its contents into your > registry without any > warning if you open this file > *.hlp Windose help files can contain auto-executing vb script > *.hta html application, can contain vb script, > javascript etc.(MSHTA.EXE > will run them when you click on them) > *.shs shell automation code > *.vbs vb script > *.chm compiled HTML help file, also can contain vb > script, javascript etc. > > Most of these will never need to be sent or received by a > user and all can > contain malicious code. Any other suggestions? Here's a snip from a bugtraq post... Sean Malloy <[EMAIL PROTECTED]> is letting us known that changing the virus to use a WSF extension instead of VBS is just as affective. WSF stands for Windows Scripting File. Antivirus vendors that want to be proactive might want to add this extension to their signatures. Mark
Re: PERL filtering...
> > I have recently deployed a freeware procmail script that does a very good > > job filtering out various forms or malicious mail. So far it has caught all > > the ILOVEYOU mail and a few of the variants we have seen. Since I use QMail > > on my own machine, can procmail scripts be used with QMail? Most of the > > script uses some well crafted PERL code, so if not, it could probably be > > shoe-horned into a form that QMail will utilize. Any suggestions? > > You are better off using something like scan4virus at the queue level. > http://www.geocities.com/jhaar/scan4virus/ > > While it is probably not advised, I am using it without the QMAILQUEUE > patch. Instead, the scan4virus program receives the mail, scans it, then > passes it to my renamed qmail-queue program. > > Right now I deny all .vbs attachments. Yes, this is rather draconian and > there might be a 1 in 100,000,000,000,000 chance that someone really needs > to send a .vbs attachment. Those are the breaks... Thanks Pat... That was the point I was trying to get across yesterday... It can be renamed and sent through over and over so why not filter all .vbs attachments? I tried to emphasize the point that non tech uses are killing us with their carelessness so we have to protect them from vbs scripts in order to protect ourselves. On the same note I carried it through to all exe files as well. If they need to be sent by good users- What's the big deal in changing the extension to .exx? Bad guys will send an exe and hope it is run on double click while an exx.obviously won't till the end user changes the extension back to .exe. My point is, if we don't stop viruses and Trojans from spreading then Uncle Sam will try and we do not want that to happen considering the mess we have with this child safety act. I wonder at times if they don't create these problems so they have an excuse to try to control the net! The news I saw and read leaned heavily towards government offices and military bases being affected. :( Rick < == paranoid!
RE: PERL filtering...
>> Right now I deny all .vbs attachments. Yes, this is rather draconian and >> there might be a 1 in 100,000,000,000,000 chance that someone really needs >> to send a .vbs attachment. Those are the breaks... >That was the point I was trying to get across yesterday... It can be >renamed and sent through over and over so why not filter all .vbs >attachments? I tried to emphasize the point that non tech uses are killing >us with their carelessness so we have to protect them from vbs scripts in >order to protect ourselves. >On the same note I carried it through to all exe files as well. If they >need to be sent by good users- What's the big deal in changing the >extension to .exx? Bad guys will send an exe and hope it is run on double >click while an exx.obviously won't till the end user changes the extension >back to .exe. Consider filtering the following as well: *.reg Regedit will inject its contents into your registry without any warning if you open this file *.hlp Windose help files can contain auto-executing vb script *.hta html application, can contain vb script, javascript etc.(MSHTA.EXE will run them when you click on them) *.shs shell automation code *.vbs vb script *.chm compiled HTML help file, also can contain vb script, javascript etc. Most of these will never need to be sent or received by a user and all can contain malicious code. Any other suggestions?
