Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Filtering sobig with postfix

From: Robert Banniza <robert () rootprompt net>
Date: Sat, 23 Aug 2003 14:01:21 -0500
Sorry if this has already been posted as I haven't read the full thread.
However, I'm blocking SoBig with the following entry in body_checks:

/(filename|name)=.*\.((doc|zip|exe|xls|jpg|gif|png|pdf)\.exe|bat|asd|chm|com|dll|hlp|hta|js|jse|lnk|ocx|pif|scr|shb|shs|vb|vbe|vbs|vxd|wsf|wsh)/
reject 

Robert

On Thu, Aug 21, 2003 at 07:05:49AM -0500, vogt () hansenet com wrote:

Yep, as the OP is using postfix, he could use the 
header_checks directive,
which can identify MIME headers, so he can easily stop this worm.
Just check for Content-Disposition header and block 
everything with .pif in
filename.


Thought about that, but doesn't quite work. The headers only say
multipart/mime. The .pif part comes later in the attachment.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com
________________________________________________________________________

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: