What the standard regexp looks for is on one line:
Content-Type: application/octet-stream; name="spam-stats_040129_2258.zip"
but what I'm seeing is:
Content-Type: application/octet-stream;
name="spam-stats_040129_2258.zip"
so the filter doesn't catch it.
Len
At 09:41 PM 1/29/2004, you wrote:
>
>:)
>Just added to my filters.
>
>I added the content filter that was suggested the other day & block all but
>.zip normally.
>Just checked my norton filter & there were 10 copies of novarg blocked in
>.zip's today
>There were also a few copies of Dumaru blocked in .exe files though they
>should have been blocked. So this should be helpful.
>
>FYI 11,750 matches on the /^UEsDBAoAAAAAA/ filter today.
>
>Will let you know what I find on this new one.
>
>-----Original Message-----
>From: Len Conrad [mailto:[EMAIL PROTECTED]
>Sent: Thursday, January 29, 2004 9:01 PM
>To: [EMAIL PROTECTED]
>Subject: [IMGate] Re: what's getting through
>
>
>Anybody here today? :))
>
>ok, I can say after a few hours that the following regex picked up 200+
>attachments that weren't being caught, body_checks.regexp:
>
>/name=.*\.((exe|ex_|eml|scr|pif|bat|shs|shb|vxd|rm|chm|vbs|ini|cmd|hta|reg|l
>nk|js|jse))/
>REJECT Interdicted file attachment of type "filename .$1"
>
>yep, not BOL-anchored (these line start with " ") and no MIME header BOL
>of ^content, either.
>
>note: that "=.*" in place of the filename is dangerous, and I had to remove
>"com" and "net" from the (match) because it was picking up www.domain.com
>and URL crap in HTML.
>
>
>it gives rejects like:
>
>Jan 29 21:06:18 mx1 postfix/cleanup[87173]: 39AAC2A877: reject: body
>?name="text_pif" from mail.xxxxx.com[xxxx]; from=<> to=<[EMAIL PROTECTED]>
>proto=ESMTP helo=<mail.xxx.com>: Interdicted file attachment of type
>"filename_pif"
>
>I'd like some of you to try that regex, putting it at the end of
>body_checks.regexp, so that all other regex's have their chance to catch
>them first.
>
>btw, if you're nervous, replace REJECT with WARNING, but be sure to use a
>unique msg txt so you can trace the maillog lines.
>
>Len
