[CLUE-Tech] whitelisting subjects?
Nate Duehr
nate at natetech.com
Wed Dec 10 23:03:08 MST 2003
On Wednesday 10 December 2003 09:59 pm, Mike Staver wrote:
> So Dan, do you think this will work?
>
> :0 B
>
> * ^ *Content-Disposition: attachment;
> * filename=".*\.(vbs|scr|pif|com|exe|bat|dll)"
> /dev/null
This isn't quite the same syntax, but I found this exim filter somewhere (no,
I didn't write it, but I have modified it a bit...) that I use.
It catches even more of the oddball file extensions for ya.
#exim filter for attachment nasties
if $message_body matches
"(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"
then
<blah... whatever you want to do...>
seen finish
That's going to line wrap and be really nasty probably, but you'll see the
differences and be able to translate to procmail's flavor of regex, etc.
Have fun letting your server throw away junk. ;-)
Some people add .zip to the list too, but I let that one in.
However... Speaking of .zip files, there was a nasty e-mail virus running
around that was discussed on NANOG recently where the virus was sent in a
password-protected .zip file the text part of the e-mail contained a request
to the end-recipient to "open this file with this password to see my photos"
or whatever...
Some (dumb) virus scanners couldn't open the .zip and were configured to
forward it on and not quarantine it -- the silly end-users were actually
opening it... insta-virus. Ugh. I hope the better mail-server-integrated
virus scanners would check the return result of the .zip file open and
quarantine anything that was never actually opened... sigh...
One good quote came out of the thread though -- something along the lines
of... "People's desire to be safe is superceded by the promise of dancing
hamsters."
Heh! Or something like that... funny stuff.
Nate Duehr, nate at natetech.com
More information about the clue-tech
mailing list