Silly me, I should probably damage the headers or I'm going to block the
post for everyone :-)
(extra '_' added)
On Thu, May 09, 2002 at 11:45:34PM -0500, dman wrote:
> if
> "$message_body $message_body_end"
> matches "Content-.*audio/x-wav.*\.(?:pif|exe)"
> or
> "$message_body $message_body_end"
> matches "Content-.*audio/x-mid.*\.(?:scr|exe)"
> or
> "$message_body $message_body_end"
> matches "<iframe.*</iframe>"
> then
I've been looking at my existing rules, because as mentionned before, I
don't like this solution: I don't want to get in the business of writing
custom and possibly imperfect filters for each new virus that comes out.
Klez sends:
--O1wI75YSucu4Fo4J6F4jxR6U6k78
Content_-_Type: audio/x-midi;
name=Custom.s_c_r
If I modify it to say:
--O1wI75YSucu4Fo4J6F4jxR6U6k78
Content_-_Type: audio/x-midi; name=Custom.s_c_r
then it gets blocked by the existing system_filter
I have the flu right now, so I don't think it's the best time for me to mess
with my filter regexes, but it seems that it's only a matter of fixing this:
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif)\"|[\\\\w.-]+\\\\.(?:vb[se]|ws[fh]|jse?|exe|com|shs|bat|scr|pif))[\\\\s;]"
I prefer a generic fix a _lot_ better.
Marc
--
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
Home page:
http://marc.merlins.org/ | Finger marc_f@??? for PGP key