Maybe it would be a good idea to apply that pattern only if there is a zip file attachment. Like this...
if /name=[^>]*\.zip[\'\"]/ /^UEsDB....[Q-Za-fw-z0-9\+/]/ REJECT endif Would that work? If forget if the mime headers are part of the body_checks or not? Bill -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Keith Woodworth Sent: Wednesday, March 03, 2004 7:27 PM To: [EMAIL PROTECTED] Subject: [IMGate] Re: dealing with w32/bagle (fwd) ============================ | What follows are the base64 encoded strings. I have put an asterisk | between the first and second character, so my own filters won't reject | this message, do remove that before using... | | U*EsDBAoAAAAAA <= Matches unencrypted ZIP file | U*EsDBAoAAQAAA <= Matches encrypted version. Hi, That'll get the current bagle strains, but the thing could mutate further, setting some of the initial zip header fields differently. As of today we're blocking all possible encrypted zips, not just bagles, with this reg-exp: UEsDB....[Q-Za-fw-z0-9\+/] checking the start of attachments. Derivation below for anyone who cares. --------------------------------------------------------------------- According to the zip spec (http://www.idcnet.us/zip/zip-format.txt) - The zip header has first four bytes hex = 50 4b 03 04 - The "encrypted" flag is first bit of the 7th byte Doing the maths: Hex 50 4b 03 04 X X bit0set X Binary 01010000 01001011 00000011 00000100 xxxxxxxx xxxxxxxx xxxxxxx1 xxxxxxxx 6bits: 010100 000100 101100 000011 000001 00xxxx xxxxxx xxxxxx xxxxxx x1xxxx Dec: 20 4 44 3 1 0-15 . . . 16-31, 48-63 Base64 U E s D B A-P . . . Q-Za-fw-z0-9+/ Regexp: UEsDB....[Q-Za-fw-z0-9\+/] ======================= Someone posted this on another list about blocking all the ZIP's that are encrypted and thought some of you might find this useful here.
