|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: 'pif' file didn't get blocked today.
From: David Landgren (david
landgren.net)
Date: Tue May 20 2003 - 11:37:56 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mark Knecht wrote:
>>>/^(Content-Disposition: attachment;.*|
>>>Content-Type:.*|(\t|
>>
>>)+)(file)?name="?.*\.(lnk|hta|com|pif|vbs|vbe|js|jse|ex
>>
>>>e|bat|cmd|vxd|scr
>>>|shm|dll)"?$/ REJECT
>>
>>trailing spaces after the .pif"? would let it through.
>>
>>David
>
> David,
> Looking again at the email that had this (it's this 'support AT Microsoft
> virus) the file was called 'approved.pif.' with the extra period at the end
> of the name, or at least I think this is the case. Outlook won't let me
> touch the file, so possibly Outlook just placed the period there in it's
> display. I cannot tell right now.
>
> To clarify, you do not see anything wrong with my checks in the line
> above? Or are you saying that line should be changed to somehow catch a
> space at the end of the name?
Sorry, I did not fully explain my line of reasoning, and Viktor
message in this thread also underscores the point, which is that it's
the $ anchor tying the regexp to the end of the string that's probably
giving you grief. More stuff can follow the name of the file.
My MIME-fu isn't all that good, but try something like
/...|shm|dll)"? *(;|$)/
I.e., all that, followed by maybe spaces, then a semi-colon or an EOL.
David
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]