Sorry I should have been more specific I have the virus in a file called
Message.zip I'm trying to stop by file name of the attachment neither of
these seems to work. Additionally after updating the body_checks.regexp
file do I need to postmap or something else (I have thought so in the past)
Just in case I'm being really stupid
Thanks
/^Content-Disposition: attachment; filename="Message\.zip"/ REJECT
Attachment name
/^(content.*[[:space:]]+|[[:space:]]*)(filename|name)="Message\.zip"/ REJECT
----- Original Message -----
From: "Gerry Massat" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 04, 2004 12:16 AM
Subject: [IMGate] Re: Body Check problems
What specifically is not working? Everything? Getting too many bagels
and not enough lox?
The Klez matches mine and I get maybe 1 a month.
Buddly Sip? Sorry- never seen one!
For the mydoom test- I just have /^UEsDBAoAAAAAA/ and it works for me.
Basically a signature for an executable attachment. In fact, a freind
tried to email to me an executable file- my header check (see below)
caught it. When he renamed from *.exe to *.x, it still was caught by
this test. (I changed my action to HOLD, and then did postsuper -H to
finally receive the email)
Want to stop the bagels? /^UEsDBAoAAQAAA/ seem to stop the zip files
with an executable file, including the password protected variants.
(ymmv- I've only had one come through my system, and that was to the
IMail list before I had this check in place.)
Note- you can go to declude.com/tools and use their 'Test Virus Sender'-
you can have the Eicar test mailed to you in a zip attachment, and as a
password protected zip. (That's how I verified my body check!)
Problem with *.exe, *.pif, *.whatever_executable_extension? I'm now
using this (one long line) in my header_checks.regexp:
/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.*\.(ad[ep]|ba[st]|chm|cmd|co
m|cpl|crt|dll|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[betw]|ms[cipt]|nws|ocx|
ops|pcd|p[ir]f|reg|sc[frt]|sh[bsm]|swf|vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$
)/x
REJECT Attachment name "$2" not accepted with ".$3" extension
It will show for example: Attachment name "esekgzdh.exe" not accepted
with ".exe" extension
in the maillog. It blocks everything EXCEPT .zip, since I have the
above check to deny zip's with exe's.
Oh- VERY IMPORTANT- see the '~~[[:alnum:] ... OK' line? That basically
says stop this test when you reach an attachment. Move this AFTER your
mydoom/klez/bagel tests! (And move your last line:
/^UEsDBAoAAAAAA/ DISCARD
up to the top to replace those mydoom tests!)
Gerry. (Formerly from the Windy City)
Internet Chicago Staff wrote:
>Can anyone tell me why this doesn't work ?
>
>Thanks in advance Filename body_checks.regexp:
>
>
>~^[[:alnum:]+/]{60,}\s*$~ OK
>#mydoom
>/^UEsDBAoAAAAAA.{6}zy5egAlgAAAJYAA/ DISCARD
>/^UEsDBAoAAAAAA.{6}KJx\+eAFgAAABYAA/ DISCARD
>
>#KLEZ
>
>/AAAYmX3gXPgTs1z4E7Nc\+BOzJ\+Qfs1j4/ REJECT
>/^<ifraDDme src=(3DDDD)?cid:.* height=(3DDDD)?0 width=(3DDDD)?0>$/ REJECT
>
>/^(content.*[[:space:]]+|[[:space:]]*)(filename|name)=".*\.(htm|html|exe|EX
E
>|ex_|EX_|eml|dll|scr|pif|com|bat|shs|shb|vxd|rm|chm|vbs|ini|cmd|do|hta|reg|
l
>nk|js|jse|net)"/ REJECT
>/^(content.*[[:space:]]+|[[:space:]]*)(filename|name)="message\.zip"/
REJECT
>/^(content.*[[:space:]]+|[[:space:]]*)(filename|name)="Attach\.zip"/ REJECT
>/^(content.*[[:space:]]+|[[:space:]]*)(filename|name)="Information\.zip"/
>REJECT
>/^(content.*[[:space:]]+|[[:space:]]*)(filename|name)="Readme\.zip"/ REJECT
>/^(content.*[[:space:]]+|[[:space:]]*)(filename|name)="Info\.zip"/ REJECT
>/^(content.*[[:space:]]+|[[:space:]]*)(filename|name)="TextDocument\.zip"/
>REJECT
>/^(content.*[[:space:]]+|[[:space:]]*)(filename|name)="MoreInfo\.zip"/
>REJECT
>/^(content.*[[:space:]]+|[[:space:]]*)(filename|name)="Message\.zip"/
REJECT
>/^(content.*[[:space:]]+|[[:space:]]*)(filename|name)="TextFile\.zip"/
>REJECT
>/^(content.*[[:space:]]+|[[:space:]]*)(filename|name)="document\.zip"/
>REJECT
>/^(content.*[[:space:]]+|[[:space:]]*)(filename|name)="Document\.zip"/
>REJECT
>/^(content.*[[:space:]]+|[[:space:]]*)(filename|name)="nakedwife\.exe"/
>REJECT
>/^(content.*[[:space:]]+|[[:space:]]*)(filename|name)="BUDDLY SIP"/ REJECT
>/^(content.*[[:space:]]+|[[:space:]]*)(filename|name)="SirC32\.exe"/ REJECT
>/^(content.*[[:space:]]+|[[:space:]]*)(filename|name)="Tech Specs and
>Financials\.doc\.com"/ REJECT
>
>/^Content-Disposition: attachment;
>filename=".*\.(htm|html|zip|exe|EXE|ex_|EX_|jpg|gif|net)\.(htm|html|scr|pif
|
>bat|com|exe|EXE|ex_|EX_|lnk|net)"$/ REJECT
>/^Content-Disposition: attachment;
>filename=.*\.(htm|html|zip|exe|EXE|ex_|EX_|jpg|gif|net)\.(htm|html|scr|pif|
b
>at|com|exe|EXE|ex_|EX_|lnk|net)"$/ REJECT
>/^UEsDBAoAAAAAA/ DISCARD
>
>
