procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SirCam filter

2001-07-24 12:56:54
from [Professional Software Engineering] [Permanent Link] 
At 14:41 2001-07-24 -0400, i l i a n a f i l b y wrote:


############################################################
# SirCam protection
:0 HB
* ^Content-Disposition: attachment;
* filename=".*\.(exe|com)"
{
   LOG='REGJECT - SirCam'
Your rejection message is laying claim that any attachment with a .com or .exe in it is the SirCam virus. That seems a bit harsh - while .com and .exe (and a plethora of other extensions on PCs) will typically be an attachment to be wary of, they're not ALL Sircam. However, Sircam uses a number of other extensions - basically anything which would invoke windows to execute the application (.pif, .lnk, .bat are some examples which come to mind, though I'm sure there are many others).
I think people are overlooking the usefulness of a simple mime filter - certainly, an external program which must be invoked (not simply a procmail filter), but one which could physically remove the attachments from a message and then pass the message along (with a footer indicating that content was removed). I use a mime filter for several mailing lists I run through procmail - it gives me the power to eliminate richtext and file attachments from the list, while not simply rejecting posts.
Perhaps someone who has received this virus can answer a question: does the ATTACHMENT itself mutate? Not the name, but the actual binary? If it doesn't, then some part of the mime encoding could be matched, (say, after checking content-length which would be an inexpensive initial check), which would give you a positive lock on the virus, without ditching, say, conversations ABOUT the virus. 


P.S.  Would it be less prone for trouble if I somehow added something
like this in addition to the recipe above:
Yes, searching for specific matching text within the body would be much less likely to eat other messages which you may normally want (or at least which isn't Sircam).
I'd be prone to just use one of the rules presents in "the latest epidemic" thread though - people are already using them. 

- Sean ( who thankfully, hasn't received even one copy of this yet ) Straw

---
 Sean B. Straw / Professional Software Engineering

 Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SirCam filter, John Conover
Next by Date:  forwarding back to sender?, Rick Coloccia
Previous by Thread:  Re: SirCam filter, John Conover
Next by Thread:  Re: SirCam filter, i l i a n a f i l b y
Indexes:  [Date] [Thread] [Top] [All Lists]