1 |
On Mon, 2004-08-16 at 05:07, Paul de Vrieze wrote: |
2 |
> On Saturday 14 August 2004 10:47, Adrian CAPDEFIER wrote: |
3 |
> > Hi. |
4 |
> > I seem to be the victim of an attack to get me of mailing lists. |
5 |
> > Here is the message I've been getting with the contents of the |
6 |
> > file ______-ed out. |
7 |
> > So my server doesn't allow .com attachements and this attacker somehow |
8 |
> > manages to make the mailing list manager think messages sent to me are |
9 |
> > bouncing. |
10 |
> > Am I right? |
11 |
> |
12 |
> I don't think you. It is an automated reaction by the management software. |
13 |
> As you got the message, your account will not be disabled. However if you |
14 |
> perform filtering of for example .com attachments, please for the sake of |
15 |
> every email user on the planet, do not bounce them but drop them. Most |
16 |
> virii do not use a valid sender address, so those bounces just annoy |
17 |
> other innocent people besides you. |
18 |
|
19 |
Paul's suggestion is a good one. Here is the procmail script that I use |
20 |
to drop disallowed attachment types: |
21 |
|
22 |
# definitions from http://www.ncl.ac.uk/ucs/email/mailscanrules.html |
23 |
# These are known to be dangerous in almost all cases. |
24 |
#.bat $Possible batch file attack |
25 |
#cmd $Possible CMD file attack |
26 |
#com $Possible COM file attack |
27 |
#exe $Possible EXE file attack |
28 |
#js $Possible Microsoft JScript attack |
29 |
#scr $Possible SCR file attack |
30 |
#reg $Possible Windows registry attack |
31 |
#chm $Possible compiled Help file-based virus |
32 |
# See http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm for more |
33 |
info. |
34 |
#cnf $Possible SpeedDial attack |
35 |
#hta $Possible Microsoft HTML archive attack |
36 |
#ins $Possible Microsoft Internet Settings attack |
37 |
#jse? $Possible Microsoft JScript attack |
38 |
#lnk $Possible Eudora *.lnk security hole attack |
39 |
#ma[dfgmqrstvw] $Possible Microsoft Access Shortcut attack |
40 |
#pif $Possible MS-Dos program shortcut attack |
41 |
#scf $Possible Windows Explorer Command attack |
42 |
#sct $Possible Microsoft Windows Script attack |
43 |
#shb $Possible document shortcut attack |
44 |
#shs $Possible Shell Scrap Object attack |
45 |
#vb[es] $Possible Microsoft VBScript attack |
46 |
#ws[cfh] $Possible Microsoft Script Host attack |
47 |
#xnk $Possible Microsoft Exchange Shortcut attack |
48 |
|
49 |
# Nuke attachments of these types |
50 |
:0 B: |
51 |
* ^Content-Type:.* |
52 |
* ^Content-Disposition:.*attachment |
53 |
* name=[^ ]*\.(hta|exe|com|pif|vb[se]|bat|cmd|vxd|scr|dll| \ |
54 |
ma[dfgmqrstvw]|ws[cfh]|reg|xnk|sh[mbs]|sc[ft]| \ |
55 |
lnk|ins|chm|hlp|js|jse) |
56 |
/var/spool/mail/virusmail |
57 |
|
58 |
Note that /dev/null will also work as a target. I *do not* filter zip, |
59 |
gz, doc, xls files using this script. Those get passed on to an actual |
60 |
virus scanner, as we use those types of files in our business. |
61 |
|
62 |
I hope this procmail script is useful to someone , it was rather |
63 |
difficult to find a working example online when I set this up. |
64 |
|
65 |
Regards, |
66 |
|
67 |
- Brian |
68 |
|
69 |
|
70 |
-- |
71 |
gentoo-security@g.o mailing list |