I agree with Dallman, ZIP is too valuable for users to block (and so
is exe IMHO, but that's theological :)) so far this below has helped stem the
tide quite a
bit - The first part gets mydoom on contextual stuff I've found in
most of the message headers, and the second part seems to be unique to
the various ZIP files that get spread around.
I'm watching the repository closely, but so far no false positives
have turned up.
:0 B
* ^This message contains Unicode characters and has been sent
/home/spool/mail/virus/mydoom-spam
:0 B
* ^The message contains Unicode characters and has been sent
/home/spool/mail/virus/mydoom-spam
:0 B
* ^The message cannot be represented in 7-bit ASCII encoding and
/home/spool/mail/virus/mydoom-spam
:0 B
* ^Mail transaction failed. Partial message is available.
/home/spool/mail/virus/mydoom-spam
:0 B
* 1rrAeM0gDQdlmmtNtWVfG3QRFA672grQLlgIdDhobVVL2XMWVlc87bWFzho6IHtwAj2d9r
/home/spool/mail/virus/mydoom-spam
:0 B
* Ga9SG/3//7dSpCoQS7DvKZAv72JQKWmvdKWWbadVD/D//9vSfeg2mRbgbKcMvEZXguXrNq
/home/spool/mail/virus/mydoom-spam
:0 B
* TBuvVXOm//9/idxR1/7/Y6uPvh3LTd755dO39hzsPp/6sfv///8xZXpCOlu2J40AUMvgDP
/home/spool/mail/virus/mydoom-spam
:0 B
* Q2VDAuk6pQf8sthCvHkbFDMACWK8hd0C2mSZPSKSIjutcMMWTmfwLUdsuyF4o1Tjemh5hk
/home/spool/mail/virus/mydoom-spam
:0 B
* Z3h2Z0tDwwdp3y78fy10dmV5LTIuMG9xcIxfY05wdXJmmaHdCjNcdmkLRDvZ1r5tSGRWLV
/home/spool/mail/virus/mydoom-spam
:0 B
* V0jTDPIH0MgIsEjTDDKYiAqARYEDNnhPUmWtFnAb4JuraGYHK2nGAwbeAiBFcj2UWskGOE
/home/spool/mail/virus/mydoom-spam
Cheers and good luck!
Robin Edgar
Tripany
Tuesday, January 27, 2004, 4:37:55 PM, schreef jij:
On Tue, Jan 27, 2004 at 12:48:57PM +0000, John Conover wrote:
Nancy McGough writes:
On 27 Jan 2004 Dallman Ross (dman(_at_)nomotek(_dot_)com) wrote:
If someone using Virus Snaggers can state definitively
that it continues to work on new viruses, that would be
helpful.
I just added zip, bat, and cmd to NASTEXT and am now catching a
ton of .zip infested messages that I wasn't before. Here's the
scoop: According to this site:
There are probably more extensions that Microsoft Outlook will
consider, in one form or another, executable:
http://www.johncon.com/john/QuarantineAttachments/
may be of some help-there is a click'ie for the script fragment.
Hmm. I am loathe to add ZIP to the list of bad extensions.
My purpose has never been to stop any and all attachments.
Doing so would be satisfied by a much simpler recipe.
ZIP is a valuable file type, and I don't wish to dictate
that it should now be banished. My Virus Snagger plug-in
is run by some sysadmins. I would not wish to be responsible
for stopping, essentially, all file attachments in email.
That is a goal that I do not have sympathy for. If I
had an account on a site that blocked all extensions,
I would close the account at once.
ZIP files are not "executable" per se. If these new viruses
take advantage of naive users clicking on ZIP attachments,
well, another solution should be found, imho, for stopping
the virus than that of banning ZIP.
The Virus Snagger recipes are intended to block obviously
high-risk file-types that have traditionally been exploited.
If users wish to expand the $NASTYEXT definition to block
a much broader range of extensions, well, that's their
free choice. But I'm not at all sure it's a road I
want to travel down.
Why are users opening ZIP files and clicking on attachments
they did not expect to receive?
BAT files are another example. They are executable in
Windows and DOS, yes. But traditionally, virus writers
used double-extensions that only pretended to be BAT. I
still use some BAT files, was an avid writer of them to
a complex degree half-a-decade ago, and am not for
banishing them from my own email or for doing so on
a system level. Nor do I wish to be a provider of
blocking recipes that are overbroad to that degree.
A batch file that carried a virus payload would have to
be much larger than a typical batch file, which, being
text, is both small and easy to verify the innocuousness
of! Therefore, I would not want to block BAT extensions
that check out as text-only. The double-extensions that
virus writers typically use to disguise things come about
precisely because of these facts.
Yes, file transfers should in the main be done by the
protocols designed primarily for them, such as FTP, SCP,
SFTP, etc. How are you going to tell a generation of
GUI Windows users that now? My job, and that of my little
recipes, is not to force that decision on users en masse.
I only wish to stop the obviously creepy, sneaky stuff.
I'll think about this stuff a bit more. It's not hard
to check files asserted to be BAT and see if they secretly
contain binary stuff. I'm not at all sure what to
recommend about new viruses that transport themselves
via ZIP, however. Why don't users have standard
commercial anti-virus programs in place on their
workstations? I think this goes far beyond what I
wish to offer by way of procmail blocking.
Comments?
Dallman
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail