Mailing List Archive: virus filter

virus filter

Jun 21, 2002, 6:35 AM

Post #1 of 10 (1194 views)

Hello,

What happened to the virus filter that used to be available via a
link from the Exim home page?

We have been using the filter (currently version 0.17) for a while,
but we are starting to come up with cases where remote sites are objecting
to us rejecting attachments with certain extensions (eg .eml).

Is the list of extensions based on known viruses, or on
extensions which could potentially be used for viruses?

Would it be possible for an attachment with a .eml suffix to
be used to deliver a virus?

Thanks,

Dave

Re: virus filter [ In reply to ]

mike.meredith at port

Jun 21, 2002, 6:43 AM

Post #2 of 10 (1185 views)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 21 June 2002 14:35, you wrote:
> What happened to the virus filter that used to be available via a
> link from the Exim home page?

It is no longer maintained.

> Is the list of extensions based on known viruses, or on
> extensions which could potentially be used for viruses?

Both I believe.

>
> Would it be possible for an attachment with a .eml suffix to
> be used to deliver a virus?

Some of the Nimbda varients use eml extensions to distribute
themselves, so yes it's a known dangerous extension.

Anyone who complains to me about the extension block gets told the same
thing ... make it a zip file and then send it.
- --
Mike Meredith, Senior Informatics Officer /~\ The ASCII
University of Portsmouth \ / Ribbon Campaign
X Against HTML
Hostmaster, Postmaster and Security / \ Email!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9Ey1o5qhjegdY1VQRAuf1AKCS30o2Hx4BaeGxXfIuKK569PhLJACfXtAK
BQpjoweiSNybgsDYP/LYCwE=
=JF1z
-----END PGP SIGNATURE-----

Re: virus filter [ In reply to ]

Jun 21, 2002, 6:45 AM

Post #3 of 10 (1189 views)

On Fri, 21 Jun 2002, David Snowden wrote:

> We have been using the filter (currently version 0.17) for a while,
> but we are starting to come up with cases where remote sites are objecting
> to us rejecting attachments with certain extensions (eg .eml).
>
> Is the list of extensions based on known viruses, or on
> extensions which could potentially be used for viruses?

mostly the latter i suppose.

> Would it be possible for an attachment with a .eml suffix to
> be used to deliver a virus?

yes. even an mp3 can be used for that...

--
[-]

Re: virus filter [ In reply to ]

Jun 21, 2002, 6:47 AM

Post #4 of 10 (1185 views)

On Fri, Jun 21, 2002 at 02:35:56PM +0100, David Snowden wrote:
> Is the list of extensions based on known viruses, or on
> extensions which could potentially be used for viruses?

A mixture of the two, AIUI.

> Would it be possible for an attachment with a .eml suffix to
> be used to deliver a virus?

Yes, and indeed, this was one of the vectors for CodeRed propagation (or
was it Nimda, I forget). It was the one that had about 5 vectors. Including
attaching the .eml file, or downloading it from the infected website.

MBM

--
Matthew Byng-Maddick <mbm@colondot.net> http://colondot.net/

Re: virus filter [ In reply to ]

DGrayStephens at slb

Jun 22, 2002, 12:00 AM

Post #5 of 10 (1186 views)

David,

At 14:35 (GMT+0100) on 21-June-2002, David Snowden wrote:
>
> Hello,
>
> What happened to the virus filter that used to be available via a
> link from the Exim home page?

There has been some discussion about the filter (check out the mail
archives
http://www.exim.org/maillist.html
) but I have a version that I posted to the list in May (see
http://www.exim.org/mailman/htdig/exim-users/Week-of-Mon-20020513/038821.html
).

> We have been using the filter (currently version 0.17) for a while,
> but we are starting to come up with cases where remote sites are objecting
> to us rejecting attachments with certain extensions (eg .eml).

.eml are Outlook mail attachments, and can be used to propogate
viruses, so I would always treat them as suspect.

> Is the list of extensions based on known viruses, or on
> extensions which could potentially be used for viruses?

Extensions that can contain executables, and are known to be used by
viruses. Of course if you were being strict you could add the Office
extensions to the list to block macro viruses;-).

> Would it be possible for an attachment with a .eml suffix to
> be used to deliver a virus?

Yes.

I hope this helps,

Douglas.

--

================================
Douglas GRAY STEPHENS
Technical Architect (Directories)
Schlumberger Cambridge Research
High Cross,
Madingley Road,
Cambridge.
CB3 0EL
ENGLAND

Phone +44 1223 325295
Mobile +44 773 0051628
Fax +44 1223 311830
Email DGrayStephens@slb.com
================================

Re: virus filter [ In reply to ]

Nigel.Metheringham at dev

Jun 23, 2002, 12:53 PM

Post #6 of 10 (1185 views)

On Fri, 2002-06-21 at 14:35, David Snowden wrote:
> What happened to the virus filter that used to be available via a
> link from the Exim home page?

The link fell off when I tidied up old material - shame its not linked
from elsewhere. I've reinstated it now.

Nigel.

--
[ Nigel Metheringham Nigel.Metheringham@InTechnology.co.uk ]
[. - Comments in this message are my own and not ITO opinion/policy - ]

Re: virus filter [ In reply to ]

Jun 23, 2002, 2:38 PM

Post #7 of 10 (1185 views)

At 20:53 +0100 Nigel Metheringham wrote:

>The link fell off when I tidied up old material - shame its not linked
>from elsewhere. I've reinstated it now.

Only marginally related, but in the list of sample configs it'd be IMHO
rather useful to include some sample local_scan() functions, as even if
they weren't relevant to individual postmasters' needs, they'd provide a
useful starting point for one to write one's own!

Matt (*not* blowing his own trumpet--mine's not good enough!)

Re: virus filter [ In reply to ]

Jun 24, 2002, 12:51 AM

Post #8 of 10 (1184 views)

On 23 Jun 2002, Nigel Metheringham wrote:

> > What happened to the virus filter that used to be available via a
> > link from the Exim home page?
>
> The link fell off when I tidied up old material - shame its not linked
> from elsewhere. I've reinstated it now.

And here was I, modifying my slides for this week's Exim course, because
I thought you had dropped it deliberately. Luckily I've seen your
posting just in time to re-modify... :-)

--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.

Re: virus filter [ In reply to ]

Nigel.Metheringham at dev

Jun 24, 2002, 1:09 AM

Post #9 of 10 (1184 views)

On Mon, 2002-06-24 at 08:51, Philip Hazel wrote:
> On 23 Jun 2002, Nigel Metheringham wrote:
>
> > > What happened to the virus filter that used to be available via a
> > > link from the Exim home page?
> >
> > The link fell off when I tidied up old material - shame its not linked
> > from elsewhere. I've reinstated it now.
>
> And here was I, modifying my slides for this week's Exim course, because
> I thought you had dropped it deliberately. Luckily I've seen your
> posting just in time to re-modify... :-)

Its still not exactly a recommended or supported scheme - MIME is just
too strange to handle this way. I guess building a very simple MIME
parser to pick up filenames within a local_scan would not be too hard.

Nigel.
--
[ Nigel Metheringham Nigel.Metheringham@InTechnology.co.uk ]
[. - Comments in this message are my own and not ITO opinion/policy - ]

Re: virus filter [ In reply to ]

Jun 24, 2002, 1:26 AM

Post #10 of 10 (1191 views)

On Sun, 23 Jun 2002 mb@dcs.qmul.ac.uk wrote:

> Only marginally related, but in the list of sample configs it'd be IMHO
> rather useful to include some sample local_scan() functions, as even if
> they weren't relevant to individual postmasters' needs, they'd provide a
> useful starting point for one to write one's own!

Nobody has yet offered me one....

--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.