On 2004-11-27 21:46:35 -0800, Robert Spier wrote: > > > For more info as to why what we're doing is silly, see this post: > > > http://archives.neohapsis.com/archives/postfix/2002-04/1914.html > > > > Great theory, but poor in practice. If I can block any significant > > percentage of executable attachments by assuming a certain Base-64 > > prefix, then that is always going to be an effective method to use _in > > addition to some other scanning method_. The Base-64 scanning is a > > very low cost alternative to a full virus scanner, and isn't silly in > > the slightest. > > Huh? I don't see how shortening the prefix does anything except: > > - improve accuracy of prefix match -- no Base-64'ed EXE files will > slip through > - prevent us from having to maintain a list of prefixes - increase the risk of false positives.
> I don't see how it's a bad thing to only look for "TV"?
That's only 12 bit. Every base64-encoded MIME part starting with MP
through M_ will match it. While I don't know any interesting binary
format offhand which would match this, I would expect text in non-latin
scripts to match quite frequently - for example, consider a Russian text
about MZ motorcycles or a Japanese text about MP3.
hp
--
_ | Peter J. Holzer | Je höher der Norden, desto weniger wird
|_|_) | Sysadmin WSR | überhaupt gesprochen, also auch kein Dialekt.
| | | [EMAIL PROTECTED] | Hallig Gröde ist fast gänzlich dialektfrei.
__/ | http://www.hjp.at/ | -- Hannes Petersen in desd
pgpIZyyXs9pHx.pgp
Description: PGP signature
