Contributed by Dengue on from the lowest-common-denominator dept.
[Updated mc file available]
[Updated yet again to handle the .F, .G, & .I variants]
Let's face it, if you click on anything attached to an email reading:
"kindly check the attached LOVELETTER coming from me." [ Part 2, Application/OCTET-STREAM (Name: ] [ "LOVE-LETTER-FOR-YOU.TXT.vbs") 10KB. ] [ Cannot display this part. Press "V" then "S" to save in a file. ]You are naive and stupid.
Hey, brother, I have a BRIDGE I'd like to sell you.I won't even go there about the Outlook mail client.
But I recognize that some of us are responsible for some of them, so courtesty of BUGTRAQ and SENDMAIL I present for you a modified openbsd-proto.mc that you can use to regenerate your /etc/sendmail.cf or /etc/mail/sendmail.cf . to do that:
m4 openbsd-proto-iloveyou.mc > sendmail-new.cf cp /etc/sendmail.cf /etc/sendmail.bak cp sendmail-new.cf /etc/sendmail.cf kill -HUP `head -1 /var/run/sendmail.pid`I recommend checking the maillog to make sure sendmail restarted correctly, and then testing the ruleset. You should see something like this:
May 5 04:52:25 eris sendmail[32355]: restarting /usr/sbin/sendmail on signal May 5 04:52:25 eris sendmail[13476]: starting daemon (8.9.3): SMTP+queueing@00:30:00 May 5 04:52:39 eris sendmail[24874]: EAA24874: ruleset=Check_Subject, arg1=ILOVEYOU, relay=dengue@localhost, reject=553 This message may contain the LoveLetter virus. May 5 04:52:39 eris sendmail[24874]: EAA24874: from=Now keep in mind, this is a BRAINDEAD® solution to this, since all you have to do to defeat it is change the subject line. A better fix would be attachment content scanning. I encourage everyone to submit better rulesets, and I will post them here., size=365, class=0, pri=30365, nrcpts=1, msgid= ,proto=ESMTP, relay=dengue@localhost
This solution was built and tested on Sendmail 8.9.3 on OpenBSD 2.6. YMMV
-jim
(Comments are closed)
By Anonymous Coward () on
By Tyrann () Tyrann@Astux.com on http://www.Astux.com
Source: http://www.nai.com/asp_set/about_nai/press/releases/pr_template.asp?PR=/PressMedia/05042000-E.asp&Sel=750
By KG Higgins () tatlin@bootmail.com on mailto:tatlin@bootmail.com
I will. If you went to an IS manager and told them "I'm going to install client software on all of your desktops that introduces subtle and frustrating inconsistencies into the way it handles the protocols it are supposed to be implementing. As an added bonus, this client will allow perfect strangers to send arbitrary code to it from anywhere, which it will then execute without reference to any sort of security model."
Strangely, they said yes. The fact that Outlook (or Active X within a browser) does this is just too farfetched I guess.
Back in - 1995? I think? - I remember getting a couple of panicked messages from people who had received the "Good Times" virus hoax message. I reassured them that although it was good to be cautious, there was no chance that a virus like this could exist. I'm thinking somehow Good Times got included in the requirements doc for MS Outlook by mistake, and they went ahead and built something that would make it possible.