The Here You Have worm, also known as Visal.B, has been spreading through network shares and email (more details on Microsoft’s Malware Protection Center web site). When spreading through email, the worm sends itself to your contacts with the following strings in the Subject field and message body:
- Subject: Here you have
Body:
Hello:This is The Document I told you about,you can find it Here.
http://www.sharedocuments.com/library/PDF_Document21.025542010.pdfPlease check it and reply as soon as possible.
Cheers,
- Subject: Just for you
Body:
Hello:This is The Document I told you about,you can find it Here.
http://www.sharedocuments.com/library/PDF_Document21.025542010.pdfPlease check it and reply as soon as possible.
Cheers,
- Subject: hi
Body:
Hello:This is The Free Dowload Sex Movies,you can find it Here.
http://www.sharemovies.com/library/SEX21.025542010.wmvEnjoy Your Time.
Cheers,
In Exchange Server 2010/2007, you can use Transport Rules to quickly and easily prevent such malware from spreading by email. Transport Rule Predicates (or Conditions in the Transport Rule wizard) and Actions are the building blocks of a transport rule. You can use rule conditions to inspect the content of different parts of a message such as message headers, sender/recipients, message subject, and message body. In Exchange 2010, the Transport Rules agent can also inspect attachment content.
A list of predicates and actions in Transport Rule Predicates and Transport Rule Actions.
Creating the Transport Rule
You can use the New Transport Rule wizard in the EMC or the New-TransportRule cmdlet (Cmdet reference: Exchange 2010 | Exchange 2007) from the Shell (EMS) to create transport rules.
To prevent messages that match the message subject or body of the above examples, use the when the Subject field or message body contains specific words predicate (or SubjectOrBodyContains when using the Shell) to inspect message subject and body. Alternatively, you can also use predicates that match only the Subject field (when the Subject field contains specific words in the EMC, or SubjectContains in the Shell), and predicates that use regular expressions to match the content of these fields.
To delete messages matching the condition, use the Delete the message without notifying anyone action (DeleteMessage in the Shell).
Test transport rules, particularly rules that take actions such as deleting messages, in a non-production environment before applying them in a production environment. IMPORTANT: transport rules without any conditions specified apply to all messages
Create the transport rule using the EMC
- Go to Organization Configuration > Hub Transport > Transport Rules tab > click New Transport Rule
- On the Introduction page, type a name and optionally a description for the rule.
- On the Conditions page, select the when the Subject field or message body contains specific words condition [see screenshot]
- In the rule description, click specific words and enter the strings found in the ‘Here You Have’ messages [see screenshot]:
- On the Actions page, select the Delete message without notifying anyone action.
- On the Exceptions page, select any exception predicates. No exceptions are used in this example because the strings used in the SubjectOrBodyContains predicate are very specific to the ‘Here You Have’ worm and unlikely to occur in normal messages exchanged by your recipients.
More in Create a Transport Rule in Exchange 2010 documentation.
Create the transport rule using the Shell
This command creates a transport rule to delete messages which have any of the following strings in the message subject or body:
New-TransportRule “Delete Here You Have” -Priority 0 -SubjectOrBodyContains “Here you have”,”Just for you”, “http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf”, “http://www.sharemovies.com/library/SEX21.025542010.wmv” -DeleteMessage $true
Transport Rules contain a large number of predicates and actions to allow you to apply your organization’s messaging policies and also protect your organization from harmful content. You can use them as an additional layer of protection, besides the Exchange-specific antivirus/antispam software you likely run on your Exchange 2010/2007 Transport and Mailbox servers.
More importantly, Transport Rules can be an important part of your defense against malware in the wild which can go undetected by your antivirus software until a signature has been created by the antivirus software vendor and downloaded to your servers.
{ 6 comments… read them below or add one }
I don’t think this makes sense to delete massages if they contain strings “Here you have” or “Just for you” in a subject. From my point of view this strings are pretty common in regular mails. I thing you should only match to the problematic URL in the body.
These are examples. You should use what works best for your organization. If all emails contain the specific URLs shown in above example (as noted in the MSRC link), the URLs should suffice.
I agree with Willi. These examples are poor and aren’t even worth a blog post. If you’re going to create an example, at least do it credibly and with some intelligence.
Hi Bharat, Is it possible to create a rule to scan the content of a attachment ??
Yes, using transport rules you can scan content in supported attachments. Use either of the following predicates:
1. AttachmentContainsWords
2. AttachmentMatchesPatterns
See Transport Rule Predicates for details.
Hi All, I’ve reviewed this post, but I only have one doubt regarding with this.
If I configure a Transport Rule to block some email based on the content of subject or body,
eg: I wanted to block the following word: “artic” so I expect that someone that send me an email containig the following: “I send you this article” I expect that Exchange let this pass, but it seems that Exchange is blocking the email because contain the Word “article” that match with the Word “artic” that is configured in the Transport rule, is this correct or a normal behaviour?
How is the correct way to configure Exchange in order that the only mail that Exchange allow, was only those that have the Word “artic” and let pass the “I send you this article”, because is a different Word, artic not the same as article.
Hope that you guys could bring me some light on this.
Regards.