This is what I'm using for blocking executable files and it seems to work well...
/etc/postfix/main.cf: mime_header_checks = pcre:/etc/postfix/mime_header_checks.regexp /etc/postfix/mime_header_checks.regexp: /name=[^>]*\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js |jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|url|vb|vbe|vbs|wsc| wsf|wsh)[\'\"]/ REJECT ACL mime_banned_file Bill -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gerry Massat Sent: Wednesday, February 25, 2004 10:12 PM To: [EMAIL PROTECTED] Subject: [IMGate] Re: Netsky.C Cybertime Hostmaster wrote: >The newest rage in viri, Netsky.C, hit one of the machines here. Just a >heads up on this little bugger: > >http://www.sarc.com/avcenter/venc/data/[EMAIL PROTECTED] > >It went past the anti-virus until there was an update made specifically >for it. > >It put 8010 copies of itself on the infected machine. > >And it mass mails like nuts. > > (snip) >Anyone found a good body check for this one yet? > >--Eric > According to sarc- 'Name of attachment <http://securityresponse.symantec.com/avcenter/refa.html#name>: varies with .com, .exe, .pif, or .scr file extension' Are you rejecting executable attachments? I've been using this in header_checks.regexp- /^\s*Content-(Disposition|Type).*name\s*=\s*"?(.*\.(ad[ep]|ba[st]|chm|cmd|co m|cpl|crt|dll|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[betw]|ms[cipt]|nws|ocx| ops|pcd|p[ir]f|reg|sc[frt]|sh[bsm]|swf|vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$ )/x REJECT Attachment name "$2" not accepted with ".$3" extension and Len's checks that came in body_checks.regexp- for example: /^(content.*[[:space:]]+|[[:space:]]*)(filename|name)=".*\.(htm|html|exe|EXE |ex_|EX_|eml|dll|scr|pif|com|bat|shs|shb|vxd|rm|chm|vbs|ini|cmd|do|hta|reg|l nk|js|jse|net)"/ HOLD REJECT Body filter 3 Notice the hold- there are other tests in body_checks.regexp, and so far nothing has been held. The header checks seem to catch everything. Gerry.
