lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030823190121.GA10309@terminus.rootprompt.net>
From: robert at rootprompt.net (Robert Banniza)
Subject: Re: Filtering sobig with postfix

Sorry if this has already been posted as I haven't read the full thread.
However, I'm blocking SoBig with the following entry in body_checks:

/(filename|name)=.*\.((doc|zip|exe|xls|jpg|gif|png|pdf)\.exe|bat|asd|chm|com|dll|hlp|hta|js|jse|lnk|ocx|pif|scr|shb|shs|vb|vbe|vbs|vxd|wsf|wsh)/
reject 

Robert

On Thu, Aug 21, 2003 at 07:05:49AM -0500, vogt@...senet.com wrote:
> > Yep, as the OP is using postfix, he could use the 
> > header_checks directive,
> > which can identify MIME headers, so he can easily stop this worm.
> > Just check for Content-Disposition header and block 
> > everything with .pif in
> > filename.
> 
> Thought about that, but doesn't quite work. The headers only say
> multipart/mime. The .pif part comes later in the attachment.
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> ________________________________________________________________________
> This email has been scanned for all viruses by the MessageLabs Email
> Security System. For more information on a proactive email security
> service working around the clock, around the globe, visit
> http://www.messagelabs.com
> ________________________________________________________________________
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ