Re: [SLUG] Training Spamassassin's Bayesian classifier

Tue, 30 Sep 2003 14:14:35 -0700 

----- Original Message ----- 
From: "Brian Robson" <[EMAIL PROTECTED]>

> My ISP has just implemented the new policy of removing all M$ executables.
> Zipped files are still ok.   The result is heaven; my email downloads much
> fazster and the daily viruses have stopped.  The idea that .scr and .pif
and
> .bat files are all executables is farcical.

I agree with you Brian, I got sick of Swen.A and turned on body_checks in
out postfix config.
Here is what I did:

body_checks = regexp:/etc/postfix/body_checks.regexp

and the contents of body_checks.regexp:

# Some basic antivirus checks
/^Content-Disposition:attachment;filename=\".*\.(doc|zip|exe|xls|jpg|gif)\.(
pif|bat|com|exe|lnk)\"$/   REJECT
/^Content-Disposition:attachment;filename=.*\.(doc|zip|exe|xls|jpg|gif)\.(pi
f|bat|com|exe|lnk)$/       REJECT
# Common virus extensions that most people wouldnt send legitamitely
/(filename|name)=".*\.(asd|chm|hlp|hta|js|ocx|pif|bat)"/        REJECT
/(filename|name)=.*\.(asd|chm|hlp|hta|js|ocx|pif|bat)/        REJECT
/(filename|name)=".*\.(scr|shb|shs|vb|vbe|vbs|wsf|wsh)"/        REJECT
/(filename|name)=.*\.(scr|shb|shs|vb|vbe|vbs|wsf|wsh)/        REJECT
/(filename)=".*\.(com)"/                           REJECT
/(filename)=".*\.(exe)"/                           REJECT
/(filename)=.*\.(com)/                           REJECT
/(filename)=.*\.(exe)/                           REJECT
#added exe block above after recinving lots of Gibe.b
# Specific virus attachments; we dont block .exe by default
/(filename|name)="(WTC|wtc|README)\.EXE"/                       REJECT
/(filename|name)="(Happy99|Navidad|prettypark|prettypark|zipped_files|flcss|
Msinit|wininit|msi216|readme|README|Avp_updates|Qi_test|Anti_cih)\.exe"/
REJECT
/(filename|name)="(dhcp*|Emanuel|kmbfejkm|NakedWife|Seicho_no_ie|JAMGCJJA|Su
lfnbk)\.exe"/           REJECT
/(kak|day)\.(reg|hta)/                                          REJECT
# Bugbear virus
/(filename|name)=".*\.(.*)\.(pif|scr|bat|com|exe|lnk)"$/        REJECT
/^TV[nopqr]....[AB]..A.A....*AAAA...*AAAA/              REJECT
/^M35[GHIJK].`..`..*````/               REJECT

Note that last two lines are very effective at removing nearly all windows
executables.
we pump about 5000 messages a day through our server and postfix has barely
broken a sweat even with these body checks on here.
I think pcre is faster but I haven't read up on it.
Anyone played with pcre?

dave


-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Reply via email to