Hi,
I saw this recent post on a UK security mailing list, regarding blocking
any attachment that starts with "TVqQAAMA" i.e. anything executable by
windows.
I'm currently blocking the following extensions with qmail-scanner-1.16:
.vbe .vbs .lnk .scr .wsh .hta .pif .exe .com .bat .cmd .cpl .mhtml .ceo
.cnf .ins .scf .sct .shb .shs .xnk
Is there a way qmail scanner can perform the above block of "TVqQAAMA" to
prevent anything that this list may miss?
AFAICT there doesn't seem to be.
Cheers.
> As an aside, for what its worth, we're trying a recipe that targets the
> initial byte sequence of windows executables. In Base64 encoding it
> looks like:
>
> TVqQAAMA (at the start of a line after one blank line; case sensitive)
>
> We reject the junk outright with an Exim4 ACL - gives a 5xx response to
> the DATA command. E.g.
>
> deny condition = ${if match{$message_body:}{ TVqQAAMA}{yes}{no}}
> message = This message appears to contain a Windows executable \n\
> If this is wrong, please contact [EMAIL PROTECTED] for help
>
> There's 2 spaces before the TVqQAAMA - the first matches the blank line,
> the second matches the newline. Need to set message_body_visible to
> something reasonable like 5K.
>
> Very crude, but seems to get rid of almost any PC executable, regardless
> of suffix etc, without cranking up expensive virus scanner or
> SpamAssassin.
--
Mark Powell - UNIX System Administrator - The University of Salford
Information Services Division, Clifford Whitworth Building,
Salford University, Manchester, M5 4WT, UK.
Tel: +44 161 295 5936 Fax: +44 161 295 5888 www.pgp.com for PGP key
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
