Thanks for the info. Where does this reg exp go? Header checks? Body checks?
Is this reg exp tied to a specific version of postfix? Thanks for your help. ----- Original Message ----- From: "Keith Woodworth" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 03, 2004 6:26 PM Subject: [IMGate] Re: dealing with w32/bagle (fwd) > > ============================ > | What follows are the base64 encoded strings. I have put an asterisk > | between the first and second character, so my own filters won't reject > | this message, do remove that before using... > | > | U*EsDBAoAAAAAA <= Matches unencrypted ZIP file > | U*EsDBAoAAQAAA <= Matches encrypted version. > > Hi, > > That'll get the current bagle strains, but the thing could mutate further, > setting some of the initial zip header fields differently. > > As of today we're blocking all possible encrypted zips, not just bagles, > with this reg-exp: > > UEsDB....[Q-Za-fw-z0-9\+/] > > checking the start of attachments. Derivation below for anyone who cares. > > --------------------------------------------------------------------- > > > According to the zip spec (http://www.idcnet.us/zip/zip-format.txt) > > - The zip header has first four bytes hex = 50 4b 03 04 > > - The "encrypted" flag is first bit of the 7th byte > > Doing the maths: > > Hex 50 4b 03 04 X X bit0set X > > Binary 01010000 01001011 00000011 00000100 xxxxxxxx xxxxxxxx xxxxxxx1 xxxxxxxx > > 6bits: 010100 000100 101100 000011 000001 00xxxx xxxxxx xxxxxx xxxxxx x1xxxx > > Dec: 20 4 44 3 1 0-15 . . . 16-31, 48-63 > > Base64 U E s D B A-P . . . Q-Za-fw-z0-9+/ > > > Regexp: UEsDB....[Q-Za-fw-z0-9\+/] > > > ======================= > > Someone posted this on another list about blocking all the ZIP's that are > encrypted and thought some of you might find this useful here. > > > > >
