Re: [Exim] Regex for catching RAR flavour of Bagle/beagle

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMBruce Richardson at <-
.MBruce Richardson at ->
Delete this message
Reply to this message
Author: Adam D. Barratt
Date:  
To: Exim users mailing list
Subject: Re: [Exim] Regex for catching RAR flavour of Bagle/beagle
On Friday, March 19, 2004 12:58 PM, Bruce Richardson <itsbruce@???>
wrote:

> On Fri, Mar 19, 2004 at 01:40:46PM +0100, Marcin Owsiany wrote:
>> Might be useful for someone...
[...]
> The exiscan patch plus a decent av scanner (e.g. clamav) are both more
> reliable and considerably less work than this method, imho. Less
> likely to give false positives, also.

We use a combination approach:

1) Log anything that looks like a password-encrypted zip / rar
2) Pass them through clamav via exiscan-acl (with databases updated every
two hours)
3) Freeze anything that clamav claims is clean, for further inspection

Of the half-dozen that have so far made it to step three, all have turned
out to contain a variant of Bagle.

Adam



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] SMTP Auth doesn't prevent users from sending as other usersRe: [Exim] Regex for catching RAR flavour of Bagle/beagle->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)