LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 09-23-2003, 04:58 AM   #1
satimis
Senior Member
 
Registered: Apr 2003
Posts: 3,661

Rep: Reputation: 54
URGENT - How to stop M$ invasion


Hi all folks

RH9
Evolution 1.4
==========

My PC has been invaded by M$ junk mails for 2 days. The filter on Evolution 1.4 can't stop them. They are bouncing all the tme.

I hava MailScanner and H+ BEDV AntiVir running but with no effect. I think they are not built for filtering emails downloaded by email software via POP/POP3

Kindly advise where can I find an AntiVirus software from Open Source similar to Norton on M$

Thanks in advance.

B.R.
satimis
 
Old 09-23-2003, 06:26 AM   #2
codec
Member
 
Registered: Sep 2003
Location: mad.es.eu
Distribution: ubuntu 5.04 knoppix Slack91/10 freebsd51 vector4 redhat9
Posts: 304

Rep: Reputation: 30
spam:
- I create my filters to kick out all emails from my ISP, bulk emails and from email that is not in my list (extremely effective)
- spamassasin may help
- use a email with antispam may help you to remove about 50% of spams

antivirus:
- login as users and it would be fine.
 
Old 09-23-2003, 06:27 AM   #3
yapp
Member
 
Registered: Apr 2003
Location: Netherlands
Distribution: SuSE (before: Gentoo, Slackware)
Posts: 613

Rep: Reputation: 30
how about regular expressions filtering?

I'm not sure how your evolution mail works. I use a completely different approach to process my e-mail, and one steps involves "maildrop". (to drop the mail in my ~/Mailbox/)

In my ~/.mailfilter file, I've added a few filters. They use regular expressions. I hope there is something in there you can use Most virus e-mails abuse the <iframe> tag in an html-email, to load/execute an attachment directly. It's the first thing you might want to filter.

Code:
# email up to 50 kb

if($SIZE < 50000)
{

  # Match the <iframe> exploit of outlook express, that causes execution
  # of programs, loaded my the iframe, because on an mangled content type.
  #
  if( /<iframe src=3D"?cid:/:b )
  {
    log "*SPAM* outlook <iframe> exploit"
    to "Maildir/.Spam"
  }


  ## TODO: 2 step filtering: name, then extension2

  # Remove attachments with unwanted file extensions
  # It seams another nasty trick is also popular:
  # A lot of spaces between the .ext and .pif extension.
  #
  #  Content-Type: audio/x-midi
  #  <tab>    name=file.ext       .pif
  #
  if( /[\n\r]Content\-Type: [a-zA-Z\-\/]+;[\n\r]*[:space:]+name=.*\.(bat|pif|scr)"?[\n\r]/:bw )
  {
    log "*SPAM* unwanted extensions in content-type"
    to "Maildir/.Spam"
  }

  #  Content-Disposition: attachment; filename=file.src
  if( /[\n\r]Content\-Disposition: attachment;[\n\r]*[:space:]+filename=.*\.(bat|pif|scr|exe)"?[\n\r]/:bw )
  {
    log "*SPAM* unwanted extensions in content-disposition"
    to "Maildir/.Spam"
  }
}

Last edited by yapp; 09-23-2003 at 06:28 AM.
 
Old 09-23-2003, 08:11 AM   #4
satimis
Senior Member
 
Registered: Apr 2003
Posts: 3,661

Original Poster
Rep: Reputation: 54
Re: how about regular expressions filtering?

Quote:
Originally posted by yapp
I'm not sure how your evolution mail works. I use a completely different approach to process my e-mail, and one steps involves "maildrop". (to drop the mail in my ~/Mailbox/)

In my ~/.mailfilter file, I've added a few filters. They use regular expressions. I hope there is something in there you can use Most virus e-mails abuse the <iframe> tag in an html-email, to load/execute an attachment directly. It's the first thing you might want to filter.

Code:
# email up to 50 kb

if($SIZE < 50000)
{

  # Match the <iframe> exploit of outlook express, that causes execution
  # of programs, loaded my the iframe, because on an mangled content type.
  #
  if( /<iframe src=3D"?cid:/:b )
  {
    log "*SPAM* outlook <iframe> exploit"
    to "Maildir/.Spam"
  }


  ## TODO: 2 step filtering: name, then extension2

  # Remove attachments with unwanted file extensions
  # It seams another nasty trick is also popular:
  # A lot of spaces between the .ext and .pif extension.
  #
  #  Content-Type: audio/x-midi
  #  <tab>    name=file.ext       .pif
  #
  if( /[\n\r]Content\-Type: [a-zA-Z\-\/]+;[\n\r]*[:space:]+name=.*\.(bat|pif|scr)"?[\n\r]/:bw )
  {
    log "*SPAM* unwanted extensions in content-type"
    to "Maildir/.Spam"
  }

  #  Content-Disposition: attachment; filename=file.src
  if( /[\n\r]Content\-Disposition: attachment;[\n\r]*[:space:]+filename=.*\.(bat|pif|scr|exe)"?[\n\r]/:bw )
  {
    log "*SPAM* unwanted extensions in content-disposition"
    to "Maildir/.Spam"
  }
}
Hi,

Thanks for your response.

On clicking 'Send/Receive' Evolution will drop emails via POP3 from ISP to inbox under;

As USER
/home/satimis/evolution/local/inbox

As ROOT
/root/evolution/local/inbox

I could locat 'mailfilter' file in my OS. 'locate' and 'find' could not found it.

B.R.
satimis
 
Old 09-23-2003, 08:20 AM   #5
satimis
Senior Member
 
Registered: Apr 2003
Posts: 3,661

Original Poster
Rep: Reputation: 54
Quote:
Originally posted by codec
spam:
- I create my filters to kick out all emails from my ISP, bulk emails and from email that is not in my list (extremely effective)
- spamassasin may help
- use a email with antispam may help you to remove about 50% of spams

antivirus:
- login as users and it would be fine.
Hi,

Thanks for your advice.

- I created fillters on Evolution but they could not work because M$ bouncing junk mails transform rapidly, changing Sender and Recepient address, Subject, etc.
- I have no experience on spamassasin, please give me some advice. Thanks.

antivirus:
Whether you meant 'H+ BEDV AntiVir'? It is already running on my PC

B.R.
satimis
 
Old 09-23-2003, 10:01 AM   #6
crashmeister
Senior Member
 
Registered: Feb 2002
Distribution: t2 - trying to anyway
Posts: 2,541

Rep: Reputation: 47
You can create a filter that pipes every mail thats - lets say smaller that 20000 thru spamassin and have it mark the mails it thinks are spam with 'whateveryouwant'.Then you'll need another filter that sorts messages marked as 'whateveryouwant' in a spam folder.Be careful what you use there - if you have them marked as 'linux' everything Linux goes to the spam folder.
There is a nice configuration tool for spamassasin at http://www.yrex.com/spam/spamconfig.php
If you are referring to the lately rampant emails with W32/Swen you will be disapointed because I don't think you can filter those efficient with spamassasin with out triggering a lot of false positives.
 
Old 09-23-2003, 11:46 AM   #7
velska
Member
 
Registered: Aug 2003
Location: Finland
Distribution: Fedora 14, Ubuntu 10.4 LTS
Posts: 65

Rep: Reputation: 15
M$ or what

I think you're getting mails caused by Swen worm - See F-Secure's site for example

It's another sneaky virus that is doing its best to look like M$ support mail. It only works with M$IE exploder, so you're home free.

Also, don't open emails that look suspicious, anyway - although I can't always tell
 
Old 09-23-2003, 12:40 PM   #8
satimis
Senior Member
 
Registered: Apr 2003
Posts: 3,661

Original Poster
Rep: Reputation: 54
Quote:
Originally posted by crashmeister
You can create a filter that pipes every mail thats - lets say smaller that 20000 thru spamassin and have it mark the mails it thinks are spam with 'whateveryouwant'.Then you'll need another filter that sorts messages marked as 'whateveryouwant' in a spam folder.Be careful what you use there - if you have them marked as 'linux' everything Linux goes to the spam folder.
There is a nice configuration tool for spamassasin at http://www.yrex.com/spam/spamconfig.php
If you are referring to the lately rampant emails with W32/Swen you will be disapointed because I don't think you can filter those efficient with spamassasin with out triggering a lot of false positives.
Hi,

I think I'm being invaded by W32/Swen. Although it did not cause damage to my OS but lots of deleting work are required. I am now searching for a solution to keep them out.

B.R.
satimis
 
Old 09-23-2003, 12:46 PM   #9
satimis
Senior Member
 
Registered: Apr 2003
Posts: 3,661

Original Poster
Rep: Reputation: 54
Re: M$ or what

Quote:
Originally posted by velska
I think you're getting mails caused by Swen worm - See F-Secure's site for example

It's another sneaky virus that is doing its best to look like M$ support mail. It only works with M$IE exploder, so you're home free.

Also, don't open emails that look suspicious, anyway - although I can't always tell
Hi,

Those disguised M$ support mails caused me lot of disturbance although it did not damage my PC. I am searching hard for a solution.

B.R.
satimis
 
Old 09-23-2003, 12:47 PM   #10
yapp
Member
 
Registered: Apr 2003
Location: Netherlands
Distribution: SuSE (before: Gentoo, Slackware)
Posts: 613

Rep: Reputation: 30
Re: Re: how about regular expressions filtering?

Quote:
Originally posted by satimis
I could locat 'mailfilter' file in my OS. 'locate' and 'find' could not found it.
I'm sorry for the confusion.. I didn't ment to start looking for "mailfilter". I'd given you some hints for regular expression parsing.

In my case, I use 'maildrop' (with an .mailfilter file). But regular expressions are a very common thing in UNIX environments.
 
Old 09-23-2003, 01:04 PM   #11
crashmeister
Senior Member
 
Registered: Feb 2002
Distribution: t2 - trying to anyway
Posts: 2,541

Rep: Reputation: 47
Easiest way to deal with something like that - get an email provider that does scan for viruses and use the line they put in the mail to filter it.Other than that you'd need to put your own virus scanner in there to filter it.
 
Old 09-23-2003, 01:14 PM   #12
Genesee
Member
 
Registered: Dec 2002
Distribution: Slackware
Posts: 927

Rep: Reputation: 30
Re: how about regular expressions filtering?

Quote:
Originally posted by yapp
In my ~/.mailfilter file, I've added a few filters. They use regular expressions. I hope there is something in there you can use Most virus e-mails abuse the <iframe> tag in an html-email, to load/execute an attachment directly. It's the first thing you might want to filter.
thanks for your post yapp - very informative

ps: your sig. is brilliant
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
boot sector and lilo collapse !!!!! URGENT URGENT URGEN !!!!! frelihm Linux - Software 21 12-02-2009 11:21 AM
Urgent Question Regarding Urgent Questions! Need Help Now! Crashed_Again LQ Suggestions & Feedback 11 10-17-2007 09:07 PM
How do I stop services from restarting after I stop them? M$ISBS Linux - Software 3 10-27-2005 09:13 PM
anyone have UFO Alien Invasion working?? trey85stang Linux - Games 0 03-25-2004 07:09 PM
Urgent Urgent !!!! Mozilla Keeps All Your Deleted Emails !!!! odin123 Linux - Software 2 01-31-2004 03:22 AM


All times are GMT -5. The time now is 02:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration