Security Incidents mailing list archives

Re: NEW VIRUS FOUND PLEASE READ IMPORTANT!!!!!

From: Mark Lastdrager <mark () PINE NL>
Date: Tue, 13 Feb 2001 09:53:13 +0100

At Tue, 13 Feb 2001, Incidents Mailing List wrote:

We are working with the infrastructure group to see how we can block or
filter this particular message.  In the interim, the best anti-virus
protection is good 'ole common sense.


; tail -11 /etc/sendmail.cf
HSubject: $>CheckSubject
SCheckSubject
RILOVEYOU              $#error $: 553 ILOVEYOU Virus detected
RHere you have, ;o)    $#error $: 553 Anna Kournikova virus detected

Kchkfrm regex -a@REJ hahaha () sexyfun net

HFrom: $>CheckFromHeader
SCheckFromHeader
R$*    $: $(chkfrm $1 $)
R@REJ  $#error $: 553 Some virus detected


Blunt method to do this on Postfix (not tested, based on Loveletter fix
from some time ago)

Create file header_checks with:

/Content.*\.vbs/ REJECT

And add the following to main.cf:

header_checks = regexp:/path/to/postfix/config/header_checks

It's also possible to filter on subject ofcourse, but history has teached
us viruses may mutate.

On http://www.amavis.org/ you can find a quite good mail virus scanner.

Mark Lastdrager

--
Pine Internet BV ::  tel. +31-70-3111010 ::  fax. +31-70-3111011
PGP 92BB81D1 fingerprint 0059 7D7B C02B 38D2 A853 2785 8C87 3AF1
Today's excuse: Your processor has processed too many intructions.
Turn it off emideately, do not type any commands!!

Current thread:

NEW VIRUS FOUND PLEASE READ IMPORTANT!!!!! Joseph, Lorne (Feb 12)
- Re: NEW VIRUS FOUND PLEASE READ IMPORTANT!!!!! David Luyer (Feb 13)
  - Re: NEW VIRUS FOUND PLEASE READ IMPORTANT!!!!! Daniel Martin (Feb 13)
    - Re: NEW VIRUS FOUND PLEASE READ IMPORTANT!!!!! Dan Riley (Feb 13)
    - Re: NEW VIRUS FOUND PLEASE READ IMPORTANT!!!!! Ron Johnson (Feb 13)
    - Re: NEW VIRUS FOUND PLEASE READ IMPORTANT!!!!! Kevin van Haaren (Feb 13)
  - Re: NEW VIRUS FOUND PLEASE READ IMPORTANT!!!!! Mark Lastdrager (Feb 13)