Re: NEW VIRUS FOUND PLEASE READ IMPORTANT!!!!!

[Daniel Martin <dtmartin24 () HOME COM>]

David Luyer <david_luyer () PACIFIC NET AU> writes:

> ; tail -11 /etc/sendmail.cf
> HSubject: $>CheckSubject
> SCheckSubject
> RILOVEYOU             $#error $: 553 ILOVEYOU Virus detected
> RHere you have, ;o)   $#error $: 553 Anna Kournikova virus detected

While this is all well and good (and will work for this virus), it is
worthless against those vbs virii that randomize their subject lines
(which happens).  Also, with this method one is constantly reacting to
virus outbreaks after they happen.  Is there any way to get a sendmail
rule to block based on the contents of a message - I'm thinking that a
useful pattern to block on would be the filename of an attachment; if
the filename matches the perl regexp

       \.\w{2,5}\.(vbs|exe|com|hta|pl|bat|wsh|js)$

case insensitively, then chances are that it's up to no good.  Such a
rule could have been constructed in the aftermath of ILOVEYOU, and
were it already in place it would have prevented this virus from
spreading through your mailserver.  (I wouldn't necessarily do a
reject based on this rule match, but I would hold the email until I
was given a chance to examine it manually and determine whether or not
it should really go through).