[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Re: Filtering sobig with postfix
- To: vogt@hansenet.com
- Subject: Re: [Full-Disclosure] Re: Filtering sobig with postfix
- From: Robert Banniza <robert@rootprompt.net>
- Date: Sat, 23 Aug 2003 14:01:21 -0500
Sorry if this has already been posted as I haven't read the full thread.
However, I'm blocking SoBig with the following entry in body_checks:
/(filename|name)=.*\.((doc|zip|exe|xls|jpg|gif|png|pdf)\.exe|bat|asd|chm|com|dll|hlp|hta|js|jse|lnk|ocx|pif|scr|shb|shs|vb|vbe|vbs|vxd|wsf|wsh)/
reject
Robert
On Thu, Aug 21, 2003 at 07:05:49AM -0500, vogt@hansenet.com wrote:
> > Yep, as the OP is using postfix, he could use the
> > header_checks directive,
> > which can identify MIME headers, so he can easily stop this worm.
> > Just check for Content-Disposition header and block
> > everything with .pif in
> > filename.
>
> Thought about that, but doesn't quite work. The headers only say
> multipart/mime. The .pif part comes later in the attachment.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> ________________________________________________________________________
> This email has been scanned for all viruses by the MessageLabs Email
> Security System. For more information on a proactive email security
> service working around the clock, around the globe, visit
> http://www.messagelabs.com
> ________________________________________________________________________
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html