Geekery

[lnr]

Making myself cross-eyed peering at viruses and system filters this afternoon.

Most things with an executable attachment we bounce, in case they're viruses, with a message saying to zip it up and try again if they really wanted to send it. Klez and various other viruses forge the sender though, and we don't want to go round sending bounces to forged senders who will either be confused about it or will just bounce back again. So we want to try and freeze any of them that actually look like Klez. So gradually our system filter turns into not-very-good virus detection software. It really would be better if we could find the manpower to sort out a real one instead.

Anyone who's actually using something with exim already do feel free to let me know what it is and how easy it is to set up :-) I think we investigated something in the past but it fell down because we couldn't get it to send bounces as the error sender, this is before my time though.

Comments

exim 3 or 4?

[simont]

ixion is running software (written by me) which spots messages with Windows executables as attachments. Currently what it does with such messages is to block them with 554 - the idea being that if the SMTP connection is from a virus then it won't generate a bounce, but if it's from a legit site it will. This admittedly doesn't work so well for viruses that have gone through a relay or two, but it's a lot better than nothing and at least by 554ing the things we don't have to deal with the responsibility for delivering any bounces.

We have a hideous hack that makes this work in exim 3 - effectively we've reimplemented most of exim 4's local scan functionality. If you're using exim 4, it shouldn't be too hard to adapt the code to work there instead, and if you wanted to do something other than 554ing (such as adding an `X-Suspicious' header and then having your system filter freeze messages based on that, or whatever) that could be easily enough changed as well.

This has been running live on ixion for some months and I'm now pretty confident that it correctly spots messages with Windows executable attachments. Of course that might be inconvenient if someone wants to send a real Windows executable to one of your users, so it's not clear that this is a good general solution; but for me it works very well because anyone sending me a binary is typically a pillock anyway :-)

If you think any of the above might be useful to you, let me know and I'll put you in touch with a copy of the code.

Re: exim 3 or 4?

[lnr]

How is it telling they're windows executables?

We're already bouncing anything which looks like an executable from the file extension, we just want to freeze all the ones which are easily spotable as viruses which forged where they're from, as it's pretty pointless bouncing those. Anyway, think I've hacked together some heuristics for the most common Klez variants and some the new BugBear ones, so we're install new filters tomorrow when we've time to watch them.

I just think coming up with these heuristics myself is a bit reinventing the wheel, and a square wheel at that.

As for real attachments: our bounce message says to try again and zip it :-) We're still exim3 FWIW, exim4 *will* happen, but we're too busy and I've been too crap. Nice to be getting stuff done again, but I'm rapidly running out of to-do list, which at the moment is a bad thing as I'm likely to just sit and twiddle thumbs instead of doing anything useful.

Re: exim 3 or 4?

[simont]

The way I tell they're Windows executables is by examining the magic numbers in the attachment itself:

• A Windows executable starts with the letters "MZ".
  
• At file offset 0x3C there's a little-endian 4-byte number X.
  
• At file offset X there are the letters "PE".
  

These are fundamental properties of the Windows executable file format, incredibly unlikely to be fulfilled by accident by some other type of file. (Well, actually they also match Windows bitmap font files because Windows uses the executable format as a container for those, but that doesn't usually seem to be a problem. If it did start to be a problem I'm fairly sure I could concoct a slightly more elaborate criterion that only fired on files which had at least one code section.)

I don't even try to work out what sorts of executable are safe and what sorts are viruses. That way lies virus checker software, which means you need to update it whenever a new strain comes out, and I haven't got the time :-)

[rialtus.livejournal.com]

Wish I could comment directly about exim, but instead I'll comment about our company's email AV policy. We block files with the following extensions: vbs; vbe; js; shs; exe; scr; bat; com; pif; lnk. We were originally sending out notifications to sender and intended reciever about a possible virus, but stopped that when LoveLetter hit and our Exchange servers (gugh!) became too overwhelmed.

Since then, we've had many a call from our clients receiving a false virus responses from other people's email systems due to Klez. In a company of about 10,000, we probably get about 20 a week -- so much so that we have a canned response to those requests. "It's not your fault. Someone else you know has Klez. We're protected. Ignore the message. Have a day." Yes, it's said nicer than that! We're also very happy since Klez came out that we don't send messages out anymore, since we strip about 10,000 attachments a month. =)