By now, we all know that the main reason there are so many viruses and spam going around these days are Zombie PCs. These are Windows machines which heir owners did not upgrade, and which got attacked by one of the many exploits for Outlook Express, Outlook or Internet Explorer.

Why do these people not update Windows? Because to them, there doesn’t seem to be a problem, not until it’s too late. So let’s tell them – reject email from Outlook/Express if it’s not one of the latest versions. Some people might want to reject all Outlook email, but I wouldn’t go that far, yet.

There are two good ways to go about this: at SMTP time, or in your mail filter. I’m using Exim 4 and procmail for my two examples here, YMMV but you’ll get the point.

To make exim reject old Outlook versions, we can write a system filter. In general, this is sotred in /etc/exim/system-filter.exim. Your rule could look something like this:

if $h_x-mailer: contains "Outlook"
   and ( $h_x-mailer: matches "5\.[50]0\." or $h_x-mailer: matches "6\.00\.2[678]" )
then
    fail "<> \
         This message has been rejected because it was sent from an \n\
         unsafe computer.\n\
         If you intended to send us email in the future, please go to \n\
         http://windowsupdate.microsoft.com/ and install any available \n\
         security updates."
    seen finish
endif

This rule will reject mail from versions 5.0, 5.5 and from older 6.0 versions at SMTP time (so the mail never really makes it into your system) and send a failure message back to the server. You can easily extend it to cover more versions. If you want to know which version of Outlook / Outlook Express is currently considered “safe” by Microsoft, you can find them on this page.

You may not have access to your system mail filter, or may not want to go so far as to reject the mail – maybe a warning is all it takes? And maybe you don’t have exim on your system. Then you can try combining a procmail recipe with a script. In your .procmailrc file, simply add these lines:

:0 ihc:oe.lock
* ^X-Mailer: Microsoft Outlook Express \/.*
| $HOME/bin/oewarn.sh $MATCH

The oewarn.sh bash script is a wrapper around a python script doing the detection, that will send a reply in case we don’t like the version. It looks like this:

#!/bin/sh
SENDMAIL="/usr/sbin/sendmail"
$HOME/bin/oewarn.py "$1" || ( formail -r -I"Precedence: junk" -A"X-Loop: eressea@eressea.upb.de" ; \
  cat $HOME/bin/oewarn.txt ) | $SENDMAIL -t

The text file oewarn.txt contains your nastygram message – what you want the sender to receive. The python script oewarn.py contains the magic to decide what version we have and whether we like it:

#!/usr/bin/env python
from sys import argv, exit
from string import split

def verify(versionstr):
    version = split(versionstr, '.')
    if len(version)==4:
        try:
            major, minor, release, build = map(lambda x: int(x), version)
            if major < 6 or release < 2800 or build < 1123:
                return 1
        except:
            pass
    return 0

exit(verify(argv[1]))

In my case, the message you receive would read like this:

Your computer is a danger to the Internet!

You are running a severely outdated version of Outlook Express (and possible
Internet Explorer). These two programs are the main reason the Internet is
clogged with spam and viruses today. Using Outlook Express is bad enough;
but failing to install critical updates is criminal negligence.

You will be given up to 3 warnings before we refuse to accept further emails
from your account. If you want to continue sending email to this address,
please update your software. Or even better, use a modern, safe Mail
program: http://www.mozilla.org/projects/thunderbird/

If you have a question regarding this policy, please contact
postmaster@eressea.de
Advertisements