We *do* have a way to recognize executables, one of which has been
described already. Provided they arrive as base64 blobs, I run them
through

   ## exe "MZ" header, which varies a bit. base64 and uuencode versions
   /^TV[nopqr]....[AB]..A.A....*AAAA...*AAAA/i REJECT
   /^M35[GHIJK].`..`..*````/i REJECT
   ## .rdata
   /LnJkY#XRhAA/i REJECT
   /cmRhd#GEAA/i REJECT
   /5yZGF#0YQAA/i REJECT
   ## .reloc
   /LnJlb#G9JAA/i REJECT
   /cmVsb#2MAA/i REJECT
   /5yZWx#vYwAA/i REJECT

and a few other choice encodings that match any of the three possible
ways that common binary elements of .EXE files could be base64ed.

Note about .rdata and .reloc rules: Take the # characters out of the
expressions before using -- I manually stuck them in so *this* message
wouldn't trigger the rules!! Also, potential uuencode versions of those
elements aren't covered, but I don't think we've seen a worm using
uuencode instead of base64 yet...

_H*
-
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]