Normally, I wouldn't bother with looking too closely at content scanning,
but there is so much this week, it's pretty easy.
While IMGate does stop a lot of (zip|pif|etc) attachments, it's clear that
my AV box is still picking up quite a few that get through.
I've tried to see how these are getting through IMGate, by bcc the traffic
to a file and filter only for "^content" and "name=".
I really can't see any leaking through, so does anybody have any idea how
they are getting through?
what I have found in my capture file:
Content-Type: application/octet-stream;
name="document_exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="document_exe"
Content-Type: application/octet-stream;
name="uygjcl_scr"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="uygjcl_scr"
ie, the file name is on a separate line, meaning a regex for a single line:
/^Content.*name=.*.(exe|etc)/ DISCARD
.... would miss them.
so what would also be need is a regex like this :
/^______.*name=.*\.((htm|html|exe|ex_|eml|dll|scr|pif|com|bat|shs|shb|vxd|rm|chm|vbs|ini|cmd|do|hta|reg|lnk|js|jse|net))/
DISCARD Interdicted attachment type "filename.$1"
ok, that wraps but it starts:
/^______.*name=.*\.(ext)/
ie, with 6 leading spaces. where "_" is replaced by " ".
But my regex isn't working. comments?
when I the removed anchored, leading spaces, it works, but I think the "?"
represents a non printable character is there:
Jan 29 14:34:42 mx1 postfix/cleanup[61631]: 199FE2A82F: reject: body
?name="document.scr" from mail.xxxl.com[xxxxxxxx]; from=<>
to=<[EMAIL PROTECTED]> proto=ESMTP helo=<mail.ewol.com>: Interdicted file
attachment of type "filename.scr"
I'd really like to anchor the leading spaces lines:
name="uygjcl_scr"
but there's something be "name" that blocks the match. ideas?
Len
