Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: MyDoom-M evades attachment filters
From: "lsi" <stuart () cyberdelix net>
Date: Thu, 29 Jul 2004 10:38:41 +0100

Err, Pegasus Mail :)  (a free POP3 client)

Seriously..!  When I get some time I plan to add the exe and zip 
filters to SpamPal, which is a free Windows-based anti-spam POP3 
proxy that supports multiline regular expressions.  It has some virus-
specific base-64 sigs, but does not currently have the generic 
detection made possible by the 10-byte MIME string quoted earlier.

After some research, this appears to be the earliest and most 
comprehensive enunciation of the generic attachment filtering 
approach: http://qmail.plig.org/qmail-smtpd-viruscan-1.3.patch

That route is for larger networks with their own MTA.  I am shooting 
at a client-side POP3 solution for end-users (such as me) - and maybe 
a few small businesses here and there!

Spampal: http://www.spampal.org
Pegasus: http://www.pmail.com/

Stu

what are you using for attachment filters?  my astaro attachment 
filter is killing mydoom without one getting through.

lsi wrote:
Since the first MyDoom (which appeared almost six months ago, to the 
day) I have been nice and snug behind my executable attachment 
filter.  And my zipfile attachment filter.  But then MyDoom-M slips 
past ....



---
Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192.168.0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]