(disclaimer: all regexps need to have asterisk removed to work.) Keith,
Thanks for the info. I used your regexp and it didn't block anything. I looked at it closer and while I'm not a regexp god, I have a little big of perl regexp experience. I thought it should have read: U*EsDB....[Q-Za-fw-z0-9]+ as the plus sign inside of braces means 'match this in this character class' (but outside of class means match 1 or more) and the forward slash in the character class meant either end the regexp, or match a forward slash (depending on how postfix reads it). Postfix does regexps a little bit differently than perl so I could be way off though, and spent the last 2 hours for nothing :) When I used that my "fixed" version, it stopped ALL zips (encrypted and unencrypted) for some unknown reason. I did have luck with Gerry Massats regexp: U*EsDBAoAAQAAA But only on encrypted zips sent from Declude (www.declude.com). I tried pw-protecting my own file and sending it, and it got through. Looking at the attachment headers, I devised that the following types of files started with the following headers: Normal zip: U*EsDBBQAAAA My test encrypted zip: U*EsDBBQAAQA (3 differnt zip files, all with differing types/pws each) Decludes encrypted zip: U*EsDBAoAAQA (which would explain why Gerry's works .. he prob used it only to test with and its the only thing my IMgate catches) I don't know why my modifed version of your regexp didn't work ... it LOOKS like it should have, but it didn't. I'm baffled and it's late so I'll leave this to you early birds to try to solve. If you want, you can download one of the test encrypted zip files I made at http://dev.ebaseweb.com/stuff/test3.zip ... it contains 1 pw protected file 'setup.exe' (which was some random app installer file for windows that I found). I hope you guys have better luck than I did with this :) -Billy > ----- Original Message ----- > From: "Keith Woodworth" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, March 03, 2004 6:26 PM > Subject: [IMGate] Re: dealing with w32/bagle (fwd) > > | U*EsDBAoAAAAAA <= Matches unencrypted ZIP file > > | U*EsDBAoAAQAAA <= Matches encrypted version. > > > > As of today we're blocking all possible encrypted zips, not just bagles, > > with this reg-exp: > > > > UEsDB....[Q-Za-fw-z0-9\+/] > > Regexp: UEsDB....[Q-Za-fw-z0-9\+/] > > >
