Hi..
And we are going to continue getting them for quite some time still... Can
it possibly be requested that MTA Administrators setup filters to block the
viruses please?
As for a example filter.. This is a global filter working wonders with the
Exm MTA. For sendmail and other MTA's the filter has to be modified I
presume...
global_filter.exim
# Exim filter
## Version: 0.06
## If you haven't worked with exim filters before, read
## the install notes at the end of this file.
#
# Only run any of this stuff on the first pass through the
# filter - this is an optomisation for messages that get
# queued and have serveral delivery attempts
#
# we express this in reverse so we can just bail out
# on inappropriate messages
if error_message or not first_delivery
then
finish
endif
# Look for single part MIME messages with suspicious name extensions
# Check Content-Type header
if $header_content-type: matches
"(?:file)?name=(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|bat|shs)\"|[\\\\w
.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|bat|shs))"
then
fail text "This message has been rejected because it has\n\
\tan apparently executable attachment $1\n\
\tThis form of attachment has been used by\n\
\trecent viruses such as that described in\n\
\thttp://www.fsecure.com/v-descs/love.htm\n\
\tIf you meant to send this file then please\n\
\tpackage it up as a zip file and resend it."
seen finish
endif
# Attempt to catch embedded VBS attachments
# in emails. These were used as the basis for
# the ILOVEYOU virus and its variants
#
if $message_body matches
"(?:Content-(?:Type:\\\\s*[\\\\w-]+/[\\\\w-]+|Disposition:\\\\s*attachment);
\\\\s*(?:file)?name=|begin\\\\s+[0-7]{3,4}\\\\s+)(\"[^\"]+\\\\.(?:vb[se]|ws[
fh]|jse?|exe|com|bat|shs)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|bat
|shs))[\\\\s;]"
then
fail text "This message has been rejected because it has\n\
\tan apparently executable attachment $1\n\
\tThis form of attachment has been used by\n\
\trecent viruses such as that described in\n\
\thttp://www.fsecure.com/v-descs/love.htm\n\
\tIf you meant to send this file then please\n\
\tpackage it up as a zip file and resend it."
seen finish
endif
#### Version history
#
# 0.01 5 May 2000
# Initial release
# 0.02 8 May 2000
# Widened list of content-types accepted, added WSF extension
# 0.03 8 May 2000
# Embedded the install notes in for those that don't do manuals
# 0.04 9 May 2000
# Check global content-type header. Efficiency mods to REs
# 0.05 9 May 2000
# More minor efficiency mods, doc changes
# 0.06 19 Jun 2000
# Added .shs in response to
http://www.symantec.com/avcenter/venc/data/vbs.stages.a.html
# - Jeff Carnahan <jcarnahan@networq.com>
#
#### Install Notes
#
# Exim filters run the exim filter language - a very primitive
# scripting language - in place of a user .forward file, or on
# a per system basis (on all messages passing through).
# The filtering capability is documented in the main set of manuals
# a copy of which can be found on the exim web site
# http://www.exim.org/
#
# To install, copy the filter file (with appropriate permissions)
# to /etc/exim/system_filter.exim and add to your exim config file
# [location is installation depedant - typicaly /etc/exim/config ]
# at the top the line:-
# message_filter = /etc/exim/system_filter.exim
# message_body_visible = 5000
#
# Any message that matches the filter will then be bounced.
# If you wish you can change the error message by editing it
# in the section above - however be careful you don't break it.
#
# After install exim should be restarted - a kill -HUP to the
# daemon will do this.
#
#### LIMITATIONS
#
# This filter tries to parse MIME with a regexp... that doesn't
# work too well. It will also only see the amount of the body
# specified in message_body_visible
#
#### BASIS
#
# The regexp that is used to pickup MIME/uuencoded parts is replicated
# below (in perl format). You need to remember that exim converts
# newlines to spaces in the message_body variable.
#
# (?:Content- # start of content header
# (?:Type: (?>\s*) # rest of c/t header
# [\w-]+/[\w-]+ # content-type (any)
# |Disposition: (?>\s*) # content-disposition hdr
# attachment) # content-disposition
# ;(?>\s*) # ; space or newline
# (?:file)?name= # filename=/name=
# |begin (?>\s+) [0-7]{3,4} (?>\s+)) # begin octal-mode
# (\"[^\"]+\. # quoted filename.
# (?:vb[se] # list of extns
# |ws[fh]
# |jse?
# |exe
# |com
# |bat
# |shs)
# \" # end quote
# |[\w.-]+\. # unquoted filename.ext
# (?:vb[se] # list of extns
# |ws[fh]
# |jse?
# |exe
# |com
# |bat
# |shs)
# ) # end of filename capture
# [\s;] # trailing ;/space/newline
#
### [End]
Regards
Chris Knipe
Cell: (083) 430-8151
Natural ability without education has more often attained to glory and
virtue, than education without natural ability at all.
----- Original Message -----
From: "David FAHED" <dfahed@outremer.com>
To: "Michael Black" <dx@mdk.c7.utcluj.ro>
Cc: <linux-config@vger.rutgers.edu>; <linux-net@vger.rutgers.edu>
Sent: 11 July 2000 03:17
Subject: Re: a vir for w9x (I think)
> I also receive this message!
> Be careful!!!
>
> Michael Black wrote:
>
> > I've received this today and I guess it's that LifeStages virus,
everybody
> > using w9x for mail should watch for that attachment. Don't read it.
> >
> > -------------------
> > >From owner-linux-net-outgoing@vger.rutgers.edu Mon Jul 10 17:49:45
2000
> > Return-Path: <owner-linux-net-outgoing@vger.rutgers.edu>
> > Received: from nic.funet.fi (nic.funet.fi [193.166.0.145])
> > by mdk.c7.utcluj.ro (8.9.3/8.8.7) with ESMTP id RAA26287
> > for <dx@mdk.c7.utcluj.ro>; Mon, 10 Jul 2000 17:49:37 +0300
> > Received: from vger.rutgers.edu ([128.6.190.2]:11884 "EHLO
vger.rutgers.edu"
> > ident: "NO-IDENT-SERVICE[2]" smtp-auth: <none> TLS-CIPHER:
<none>)
> > by nic.funet.fi with ESMTP id <S3764AbQGJOtU>;
> > Mon, 10 Jul 2000 17:49:20 +0300
> > Received: (majordomo@vger.rutgers.edu) by vger.rutgers.edu via
listexpand
> > id <S157034AbQGJOeu>; Mon, 10 Jul 2000 10:34:50 -0400
> > Received: by vger.rutgers.edu id <S157028AbQGJOcv>;
> > Mon, 10 Jul 2000 10:32:51 -0400
> > Received: from ogma.cisco.com ([144.254.74.39]:41304 "HELO
ogma.cisco.com")
> > by vger.rutgers.edu with SMTP id <S156826AbQGJOax>;
> > Mon, 10 Jul 2000 10:30:53 -0400
> > Received: from milan.cisco.com (milan.cisco.com [144.254.84.13])
> > by ogma.cisco.com (Postfix) with ESMTP
> > id BFF9C1E2; Mon, 10 Jul 2000 16:42:09 +0200 (MET DST)
> > Received: from fcanessa-nt ([144.254.43.47])
> > by milan.cisco.com (8.8.8+Sun/8.8.8) with SMTP id QAA21650;
> > Mon, 10 Jul 2000 16:41:46 +0200 (MET DST)
> > From: "Francesco Canessa" <fcanessa@cisco.com>
> > ^^^^^^^^^^^^^^^^^^^
> >
> > To: <fcanessa@cisco.com>
> > Subject: Life stages
> > Date: Mon, 10 Jul 2000 16:46:23 +0100
> > ^^^^^^^^^^^^^
> >
> > Message-ID: <000b01bfea86$0064da70$2f2bfe90@fcanessa-nt.cisco.com>
> > MIME-Version: 1.0
> > Content-Type: multipart/mixed;
> > boundary="----=_NextPart_000_0008_01BFEA8E.62263530"
> > X-Priority: 3 (Normal)
> > X-MSMail-Priority: Normal
> > X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
> > Importance: Normal
> > X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
> > Sender: owner-linux-net@vger.rutgers.edu
> > Precedence: bulk
> > X-Loop: majordomo@vger.rutgers.edu
> >
> > [-- Attachment #1 --]
> > [-- Type: text/plain, Encoding: 7bit, Size: 0.1K --]
> > Content-Type: text/plain;
> > charset="iso-8859-1"
> > Content-Transfer-Encoding: 7bit
> >
> > > The male and female stages of life.
> > [-- Attachment #2: LIFE_STAGES.TXT.SHS --]
> > ^^^^^^^^^^^^^^^^
> > !!!!!!
> >
> > [-- Type: application/octet-stream, Encoding: base64, Size: 52K --]
> > Content-Type: application/octet-stream;
> > name="LIFE_STAGES.TXT.SHS"
> > Content-Transfer-Encoding: base64
> > Content-Disposition: attachment;
> > filename="LIFE_STAGES.TXT.SHS"
> >
> > [-- application/octet-stream is unsupported (use 'v' to view this
part) --]
> > ---------------
> >
> > maybe I saved some time for someone. :)
> >
> > /dx
> > -
> > : send the line "unsubscribe linux-net" in
> > the body of a message to majordomo@vger.rutgers.edu
>
> -
> : send the line "unsubscribe linux-net" in
> the body of a message to majordomo@vger.rutgers.edu
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu
