Klez, The Virus that Keeps on Giving

kylus writes "Wired is running a story about the continued escapades of the Klez virus, and the damage--both to finances and reputations--that it is leaving behind. Between emails from a dead friend and porno spam appearing to be sent from a priest, I think "Don't Believe the 'From' Line" is the correct lesson." God bless microsoft email viruses. I'm on a modem for a few weeks and downloading countless megs of mail viruses is extremely frusterating. Course I'm still getting sircams.

Save your bandwidth

[shepd]

telnet mail.xyz.com 110

user (username)
pass (password)
list
top (number of message to check) (kb to read)
dele (message to delete)
retr (number of message to read entirely)
quit

Quicker, cheaper, easier. This was one of the best tips I got from a friendly sysadmin. :)

Of course, I would ask why CmdrTaco didn't check the RFC, but hey, who am I to question slashdot's leader? ;)

Re:Save your bandwidth

[rediguana]

If you want a pretty windoze gui for doing the same thing, and free as in 'beer' / nagware, try Mailwasher. The ability to bounce spam and delete virii from POP boxs before downloading, not to mention dickheads who send huge emails is very useful. It has saved me numerous times.

Try qmail-scanner

[Havokmon]

Qmail Scanner uses the qmailqueue patch, supports your favortite virus scanner (FProt free for Linux), MIME decoding, and hacked up MS email.

Works wonders

Virii? What Virii?

[kindbud]

Ever since we stopped allowing people to receive executable attachments (thanks to MIMEdefang!), the virii have all but disappeared. There is no need to scan for virii on a mail server. Just get rid of executable attachments (there's a big list of them in MIMEdefang's example configuration). All these trojans use stupid Outlook auto-execute tricks/bugs/features to propagate. Executables shouldn't be sent as a direct attachment anyway. Either wrap it up in a zip file (the recipient has no excuse when he infects himself) or put it up on the ftp site and send a URL. This has got to be one of the basic elements of securing a network where Outlook users lurk - no executable attachments (picture Joan Crawford on a rampage).

MIMEdefang also gives us the ability to call Mail::Spamassassin from a sendmail Milter, something Spamassassin itself does not yet support. The latest version also supports the File::Scan module for writing virus scanners in perl.

Re:MOD THIS UP

[S.Lemmon]

Yeah right - it's just a cut and paste job from sophos' web site and they didn't even get the right virus!

It's a description of badtrans not klez.

Re:My OSS plug... (Not off-topic though)

[JoshuaDFranklin]

Dude... just use Procmail's built-in capabilities.
No need to put an interpreted script in between
your MTA and MDA. Out of the goodness of my heart,
here's some actual working stuff to put in your /etc/procmailrc that dumps all email with
executable attachments in /var/virusdump/:
#/etc/procmailrc
VIRUSLOG=/var/ virusdump/viruslog

:0 # Use procmail match feature
* ^To:\/.*
{
HTO = "$MATCH"
}

:0 # Use procmail match feature
* ^From:\/.*
{
HFR = "$MATCH"
}

NL="
"

:0
*.for virususer;.*
/var/virusdump/virususer

:0
*^Content-type:.*
{
:0 HB
*name=".*\.(vbs|wsf|vbe|wsh|hta|scr|pif|exe|bat|js )"
{
:0c
! virususer

:0 fhw
| (/usr/bin/formail -r; \
echo -e "This is an auto-generated message on behalf of${HTO}:\n\
\n\
The email referenced above, which was sent from your address, \n\
had a virus-vulnerable attachement (such as .EXE, .VBS, .PIF, etc).\n\n\
This mail server no longer accepts mail with virus-vulnerable \n\
attachments and the email has been quarantined.\n\
Please try resending your attachment in a safe format such as ZIP. \n\
Contact support@iocc.com if you have any questions")\
| mail -s "Possible virus deleted" "${HFR}"

:0
| echo "VIRUS From:${HFR} To:${HTO}" >> $VIRUSLOG

:0
/dev/null
}
}