Re: Regex to block Sobig

[Steven Pritchard <steve@silug.org>]

On Fri, Aug 22, 2003 at 11:49:32AM -0500, Marcelo Medici wrote:
> i am trying to filter, using procmail, the offending subjects created in
> email by the sobig worm.

I have a better idea...  Block executable attachments.

:0 B
* ^TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQA+$
/dev/null

That will match any base64-encoded DOS/Windows EXE file.

These days I use that and a couple of other regular expressions to
block executable attachments at the MTA using postfix's body_checks.
In /etc/postfix/main.cf, I have this line:

  body_checks = pcre:/etc/postfix/virus

And in /etc/postfix/virus, I have this:

  /^Content-Disposition: *attachment; *filename="?.*\.(lnk|com|exe|url|bat|vbs|cmd|pif|scr|wsh)"?$/	REJECT No executable attachments allowed here.

  /^\s*name="?.*\.(lnk|com|exe|url|bat|vbs|cmd|pif|scr|wsh)"?$/	REJECT No executable attachments allowed here.

  /^TVqQAAMAAAAEAAAA\/\/8AALgAAAAAAAAAQA+$/i	REJECT No executable attachments allowed here.

Steve
-- 
steve@silug.org           | Southern Illinois Linux Users Group
(618)398-7360             | See web site for meeting details.
Steven Pritchard          | http://www.silug.org/

-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.