Re: MyDoom-M evades attachment filters

["lsi" <stuart () cyberdelix net>]

Err, Pegasus Mail :)  (a free POP3 client)

Seriously..!  When I get some time I plan to add the exe and zip 
filters to SpamPal, which is a free Windows-based anti-spam POP3 
proxy that supports multiline regular expressions.  It has some virus-
specific base-64 sigs, but does not currently have the generic 
detection made possible by the 10-byte MIME string quoted earlier.

After some research, this appears to be the earliest and most 
comprehensive enunciation of the generic attachment filtering 
approach: http://qmail.plig.org/qmail-smtpd-viruscan-1.3.patch

That route is for larger networks with their own MTA.  I am shooting 
at a client-side POP3 solution for end-users (such as me) - and maybe 
a few small businesses here and there!

Spampal: http://www.spampal.org
Pegasus: http://www.pmail.com/

Stu

> what are you using for attachment filters?  my astaro attachment 
> filter is killing mydoom without one getting through.
>
> lsi wrote:
> > Since the first MyDoom (which appeared almost six months ago, to the 
> > day) I have been nice and snug behind my executable attachment 
> > filter.  And my zipfile attachment filter.  But then MyDoom-M slips 
> > past ....



---
Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192.168.0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html