Re: MS BS

To: debian-security@lists.debian.org
Subject: Re: MS BS
From: rsnyder@toontown.erial.nj.us (Bob Snyder)
Date: Mon, 22 Sep 2003 16:01:49 -0400
Message-id: <[🔎] 20030922200149.GA27078@toontown.erial.nj.us>
In-reply-to: <[🔎] 6A8BE808-ED2E-11D7-B5DB-0003931D9B5A@tedroby.com>
References: <[🔎] 6A8BE808-ED2E-11D7-B5DB-0003931D9B5A@tedroby.com>

On Mon, Sep 22, 2003 at 11:56:04AM -0700, Ted Roby wrote:

> The single part MIME filter doesn't seem to catch it though. What are 
> others on this list using or doing to blatently block this stuff? There 
> is no valid .exe I could receive, ever.

I use postfix and this in my body_checks map (really long line coming 
up):

/^b3IAAABBZG1pbgAAAEdFVCBodHRwOi8vd3cyLmZjZS52dXRici5jei9iaW4vY291bnRlci5naWYv/i REJECT Appears to be infected with Swen (http://www.f-secure.com/v-descs/swen.shtml)

This matches in the base64 of the exe file for this worm. Don't know if 
exim has the ability to make decisions based on body contents or not...

Only thing that's made it through so far is a couple of copies where the 
infected exe had been stripped on the way through, leaving the message 
annoying but without bite.

Note that postfix users will probably need to up the depth into the body 
postfix will search for this to work properly.

Bob

Reply to:

References:
- MS BS
  - From: Ted Roby <secalert@tedroby.com>

Prev by Date: Re: MS BS
Next by Date: Re: MS BS
Previous by thread: Re: MS BS
Next by thread: Re: MS BS
Index(es):
- Date
- Thread