Get off my network if you can’t update your computer!

By now, we all know that the main reason there are so many viruses and spam going around these days are Zombie PCs. These are Windows machines which heir owners did not upgrade, and which got attacked by one of the many exploits for Outlook Express, Outlook or Internet Explorer.

Why do these people not update Windows? Because to them, there doesn’t seem to be a problem, not until it’s too late. So let’s tell them – reject email from Outlook/Express if it’s not one of the latest versions. Some people might want to reject all Outlook email, but I wouldn’t go that far, yet.

There are two good ways to go about this: at SMTP time, or in your mail filter. I’m using Exim 4 and procmail for my two examples here, YMMV but you’ll get the point.

To make exim reject old Outlook versions, we can write a system filter. In general, this is sotred in /etc/exim/system-filter.exim. Your rule could look something like this:

if $h_x-mailer: contains "Outlook"
   and ( $h_x-mailer: matches "5\.[50]0\." or $h_x-mailer: matches "6\.00\.2[678]" )
    fail "<> \
         This message has been rejected because it was sent from an \n\
         unsafe computer.\n\
         If you intended to send us email in the future, please go to \n\ and install any available \n\
         security updates."
    seen finish

This rule will reject mail from versions 5.0, 5.5 and from older 6.0 versions at SMTP time (so the mail never really makes it into your system) and send a failure message back to the server. You can easily extend it to cover more versions. If you want to know which version of Outlook / Outlook Express is currently considered “safe” by Microsoft, you can find them on this page.

You may not have access to your system mail filter, or may not want to go so far as to reject the mail – maybe a warning is all it takes? And maybe you don’t have exim on your system. Then you can try combining a procmail recipe with a script. In your .procmailrc file, simply add these lines:

:0 ihc:oe.lock
* ^X-Mailer: Microsoft Outlook Express \/.*
| $HOME/bin/ $MATCH

The bash script is a wrapper around a python script doing the detection, that will send a reply in case we don’t like the version. It looks like this:

$HOME/bin/ "$1" || ( formail -r -I"Precedence: junk" -A"X-Loop:" ; \
  cat $HOME/bin/oewarn.txt ) | $SENDMAIL -t

The text file oewarn.txt contains your nastygram message – what you want the sender to receive. The python script contains the magic to decide what version we have and whether we like it:

#!/usr/bin/env python
from sys import argv, exit
from string import split

def verify(versionstr):
    version = split(versionstr, '.')
    if len(version)==4:
            major, minor, release, build = map(lambda x: int(x), version)
            if major < 6 or release < 2800 or build < 1123:
                return 1
    return 0


In my case, the message you receive would read like this:

Your computer is a danger to the Internet!

You are running a severely outdated version of Outlook Express (and possible
Internet Explorer). These two programs are the main reason the Internet is
clogged with spam and viruses today. Using Outlook Express is bad enough;
but failing to install critical updates is criminal negligence.

You will be given up to 3 warnings before we refuse to accept further emails
from your account. If you want to continue sending email to this address,
please update your software. Or even better, use a modern, safe Mail

If you have a question regarding this policy, please contact

2 thoughts on “Get off my network if you can’t update your computer!

  1. i´ll vote for this, as my part-time university job is zombie-(pc)-hunting…
    is there some way i can do this with my (don´t hurt me) XP-eudora-pc?

  2. Eudora was good in the old days, but it simply hasn’t kept up. They have a small user base of hardcore people that remember the days of expensive modem dialup and trumpet winsock, and seem to be content with that.

    But that’s beside the point, really – the method described here is one for unix, and those tools (procmail, exim filters) don’t exist there. The whole point is to install them on your mailserver, and I pray that you don’t run your mail server on XP?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s