[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030823190121.GA10309@terminus.rootprompt.net>
From: robert at rootprompt.net (Robert Banniza)
Subject: Re: Filtering sobig with postfix
Sorry if this has already been posted as I haven't read the full thread.
However, I'm blocking SoBig with the following entry in body_checks:
/(filename|name)=.*\.((doc|zip|exe|xls|jpg|gif|png|pdf)\.exe|bat|asd|chm|com|dll|hlp|hta|js|jse|lnk|ocx|pif|scr|shb|shs|vb|vbe|vbs|vxd|wsf|wsh)/
reject
Robert
On Thu, Aug 21, 2003 at 07:05:49AM -0500, vogt@...senet.com wrote:
> > Yep, as the OP is using postfix, he could use the
> > header_checks directive,
> > which can identify MIME headers, so he can easily stop this worm.
> > Just check for Content-Disposition header and block
> > everything with .pif in
> > filename.
>
> Thought about that, but doesn't quite work. The headers only say
> multipart/mime. The .pif part comes later in the attachment.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> ________________________________________________________________________
> This email has been scanned for all viruses by the MessageLabs Email
> Security System. For more information on a proactive email security
> service working around the clock, around the globe, visit
> http://www.messagelabs.com
> ________________________________________________________________________
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists