| 1 |
On Mon, 2004-08-16 at 05:07, Paul de Vrieze wrote: |
| 2 |
> On Saturday 14 August 2004 10:47, Adrian CAPDEFIER wrote: |
| 3 |
> > Hi. |
| 4 |
> > I seem to be the victim of an attack to get me of mailing lists. |
| 5 |
> > Here is the message I've been getting with the contents of the |
| 6 |
> > file ______-ed out. |
| 7 |
> > So my server doesn't allow .com attachements and this attacker somehow |
| 8 |
> > manages to make the mailing list manager think messages sent to me are |
| 9 |
> > bouncing. |
| 10 |
> > Am I right? |
| 11 |
> |
| 12 |
> I don't think you. It is an automated reaction by the management software. |
| 13 |
> As you got the message, your account will not be disabled. However if you |
| 14 |
> perform filtering of for example .com attachments, please for the sake of |
| 15 |
> every email user on the planet, do not bounce them but drop them. Most |
| 16 |
> virii do not use a valid sender address, so those bounces just annoy |
| 17 |
> other innocent people besides you. |
| 18 |
|
| 19 |
Paul's suggestion is a good one. Here is the procmail script that I use |
| 20 |
to drop disallowed attachment types: |
| 21 |
|
| 22 |
# definitions from http://www.ncl.ac.uk/ucs/email/mailscanrules.html |
| 23 |
# These are known to be dangerous in almost all cases. |
| 24 |
#.bat $Possible batch file attack |
| 25 |
#cmd $Possible CMD file attack |
| 26 |
#com $Possible COM file attack |
| 27 |
#exe $Possible EXE file attack |
| 28 |
#js $Possible Microsoft JScript attack |
| 29 |
#scr $Possible SCR file attack |
| 30 |
#reg $Possible Windows registry attack |
| 31 |
#chm $Possible compiled Help file-based virus |
| 32 |
# See http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm for more |
| 33 |
info. |
| 34 |
#cnf $Possible SpeedDial attack |
| 35 |
#hta $Possible Microsoft HTML archive attack |
| 36 |
#ins $Possible Microsoft Internet Settings attack |
| 37 |
#jse? $Possible Microsoft JScript attack |
| 38 |
#lnk $Possible Eudora *.lnk security hole attack |
| 39 |
#ma[dfgmqrstvw] $Possible Microsoft Access Shortcut attack |
| 40 |
#pif $Possible MS-Dos program shortcut attack |
| 41 |
#scf $Possible Windows Explorer Command attack |
| 42 |
#sct $Possible Microsoft Windows Script attack |
| 43 |
#shb $Possible document shortcut attack |
| 44 |
#shs $Possible Shell Scrap Object attack |
| 45 |
#vb[es] $Possible Microsoft VBScript attack |
| 46 |
#ws[cfh] $Possible Microsoft Script Host attack |
| 47 |
#xnk $Possible Microsoft Exchange Shortcut attack |
| 48 |
|
| 49 |
# Nuke attachments of these types |
| 50 |
:0 B: |
| 51 |
* ^Content-Type:.* |
| 52 |
* ^Content-Disposition:.*attachment |
| 53 |
* name=[^ ]*\.(hta|exe|com|pif|vb[se]|bat|cmd|vxd|scr|dll| \ |
| 54 |
ma[dfgmqrstvw]|ws[cfh]|reg|xnk|sh[mbs]|sc[ft]| \ |
| 55 |
lnk|ins|chm|hlp|js|jse) |
| 56 |
/var/spool/mail/virusmail |
| 57 |
|
| 58 |
Note that /dev/null will also work as a target. I *do not* filter zip, |
| 59 |
gz, doc, xls files using this script. Those get passed on to an actual |
| 60 |
virus scanner, as we use those types of files in our business. |
| 61 |
|
| 62 |
I hope this procmail script is useful to someone , it was rather |
| 63 |
difficult to find a working example online when I set this up. |
| 64 |
|
| 65 |
Regards, |
| 66 |
|
| 67 |
- Brian |
| 68 |
|
| 69 |
|
| 70 |
-- |
| 71 |
gentoo-security@g.o mailing list |
Archives