:) Just added to my filters. I added the content filter that was suggested the other day & block all but .zip normally. Just checked my norton filter & there were 10 copies of novarg blocked in .zip's today There were also a few copies of Dumaru blocked in .exe files though they should have been blocked. So this should be helpful.
FYI 11,750 matches on the /^UEsDBAoAAAAAA/ filter today. Will let you know what I find on this new one. -----Original Message----- From: Len Conrad [mailto:[EMAIL PROTECTED] Sent: Thursday, January 29, 2004 9:01 PM To: [EMAIL PROTECTED] Subject: [IMGate] Re: what's getting through Anybody here today? :)) ok, I can say after a few hours that the following regex picked up 200+ attachments that weren't being caught, body_checks.regexp: /name=.*\.((exe|ex_|eml|scr|pif|bat|shs|shb|vxd|rm|chm|vbs|ini|cmd|hta|reg|l nk|js|jse))/ REJECT Interdicted file attachment of type "filename .$1" yep, not BOL-anchored (these line start with " ") and no MIME header BOL of ^content, either. note: that "=.*" in place of the filename is dangerous, and I had to remove "com" and "net" from the (match) because it was picking up www.domain.com and URL crap in HTML. it gives rejects like: Jan 29 21:06:18 mx1 postfix/cleanup[87173]: 39AAC2A877: reject: body ?name="text_pif" from mail.xxxxx.com[xxxx]; from=<> to=<[EMAIL PROTECTED]> proto=ESMTP helo=<mail.xxx.com>: Interdicted file attachment of type "filename_pif" I'd like some of you to try that regex, putting it at the end of body_checks.regexp, so that all other regex's have their chance to catch them first. btw, if you're nervous, replace REJECT with WARNING, but be sure to use a unique msg txt so you can trace the maillog lines. Len
