Len Conrad wrote: > >>I'm testing the following based on the two I received: >> >>/^R0lGODlhaAA7APcAAP\/\/\/\+rp6puSp6GZrDUjUUc6Zn53mFJMdbGvvVtXh2xre8bF1x8cU4yLprOy/ >> >>REJECT > > > Michael Tokarev suggests all Win executables are blocked with: > > #windows executables > |^TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|i > REJECT Windows executable > > > Note the regex is delimited with | since / is used within the string.
I've seen that mentioned a few times. In the two Swen mails I received, I didn't see that string. Not sure why, though--encoding? I have had two rejects so far on my regexp above. Also, it looks like they use to following (at BOL but I've indented to hopefully prevent rejections in case anyone if filtering this): Content-type: application/x-msdownload; name=[filename] where [filename] is the name of the attachment so you could probably also block on 'Content-type: application/x-msdownload; name=Qdfkx.exe' in a body filter. I'm switching to this since it may be less likely to change even if the payload does. -- Chris Scott Host Orlando, Inc http://www.hostorlando.com/
