> /^TV[nopqr]....[AB]..A.A....*AAAA...*AAAA/i REJECT
    Oh please, this is plain nonsense. A Windows EXE file is a DOS
   EXE image followed by a LE / NE / PE image (depending on the Windows

It's not nonsense, it's following up on what I see in the real world.
I'm well aware that EXE headers and stubs can be more variant than what I
can describe in a regex like that, and note that there are even a few such
right there in windoze distributions. Frankly, I haven't seen an .EXE
attachment come by that had a nonstandard stub. Yet.

Since a nonstandard stub *could* easily arrive, that's why I check for so
many other .EXE file elements. Since one element could line-break in the
middle of the base64, that's why I check for so many other .EXE file
elements. I didn't post my entire list. Am I starting to make the point?
It's also why I check for attachment filename extensions, etc etc.

And I never claimed it was absolute -- nothing is. I simply collected
a bunch of common characteristics within real-life .exe files that were
available to me, and turned them into regexps, sort of as a hack research
project at first, and then realized that it's still damn useful within
Postfix.

The fact that you and I are talking about this will probably prompt
the worm writers to start writing their own linkers, and then my regexes
and your content-filter will be useless until we play catch-up. Lovely.

What do you consder a "real" virus scanner, anyways? Those are always
playing catch-up, too. No, wait, don't answer that, because it will turn
into a huge virus-detection flamewar totally unrelated to Postfix.

The real answer is to strip any header or body line matching

   /^content-..*:/

and flatten everything back to TEXT and just lose all this MIME crap.
The entire world has forgotten how to tar-n-feather, and we're really
paying the price for that.

_H*
-
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]