Re: Regex to block Sobig

[Marcelo Medici <gaucho@ericps.crc.uiuc.edu>]

Thank you for your reply, however I am using sendmail as my transport
agent, so the postfix suggestion will have to be archived for a future
date. I like the idea of blocking the executables, it seems much more
proactive.

On Fri, 22 Aug 2003, Steven Pritchard wrote:

> On Fri, Aug 22, 2003 at 11:49:32AM -0500, Marcelo Medici wrote:
> > i am trying to filter, using procmail, the offending subjects created in
> > email by the sobig worm.
>
> I have a better idea...  Block executable attachments.
>
> :0 B
> * ^TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQA+$
> /dev/null
>
> That will match any base64-encoded DOS/Windows EXE file.
>
> These days I use that and a couple of other regular expressions to
> block executable attachments at the MTA using postfix's body_checks.
> In /etc/postfix/main.cf, I have this line:
>
>   body_checks = pcre:/etc/postfix/virus
>
> And in /etc/postfix/virus, I have this:
>
>   /^Content-Disposition: *attachment; *filename="?.*\.(lnk|com|exe|url|bat|vbs|cmd|pif|scr|wsh)"?$/	REJECT No executable attachments allowed here.
>
>   /^\s*name="?.*\.(lnk|com|exe|url|bat|vbs|cmd|pif|scr|wsh)"?$/	REJECT No executable attachments allowed here.
>
>   /^TVqQAAMAAAAEAAAA\/\/8AALgAAAAAAAAAQA+$/i	REJECT No executable attachments allowed here.
>
> Steve
> --
> steve@silug.org           | Southern Illinois Linux Users Group
> (618)398-7360             | See web site for meeting details.
> Steven Pritchard          | http://www.silug.org/
>
> -
> To unsubscribe, send email to majordomo@luci.org with
> "unsubscribe luci-discuss" in the body.
>


-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.