I just put this in as a WARNING on my body checks. Will let you know what shakes out in a little bit.
I have not noticed anything getting by much since Monday evening. Just an occasional klez and a few older ones. DustyC At 09:01 PM 1/29/2004, you wrote: >Anybody here today? :)) > >ok, I can say after a few hours that the following regex picked up 200+ >attachments that weren't being caught, body_checks.regexp: > >/name=.*\.((exe|ex_|eml|scr|pif|bat|shs|shb|vxd|rm|chm|vbs|ini|cmd|hta|reg|lnk|js|jse))/ > > >REJECT Interdicted file attachment of type "filename .$1" > >yep, not BOL-anchored (these line start with " ") and no MIME header BOL >of ^content, either. > >note: that "=.*" in place of the filename is dangerous, and I had to remove >"com" and "net" from the (match) because it was picking up www.domain.com >and URL crap in HTML. > > >it gives rejects like: > >Jan 29 21:06:18 mx1 postfix/cleanup[87173]: 39AAC2A877: reject: body >?name="text_pif" from mail.xxxxx.com[xxxx]; from=<> to=<[EMAIL PROTECTED]> >proto=ESMTP helo=<mail.xxx.com>: Interdicted file attachment of type >"filename_pif" > >I'd like some of you to try that regex, putting it at the end of >body_checks.regexp, so that all other >regex's have their chance to catch them first. > >btw, if you're nervous, replace REJECT with WARNING, but be sure to use a >unique msg txt so you can trace the maillog lines. > >Len
