|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Security : WORM_HOLAR.H mass mailing gets past header_checks
From: Magnus Bäck (magnus
dsek.lth.se)
Date: Mon Jun 02 2003 - 06:42:01 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, Jun 02, 2003 at 02:15:17PM +0200,
Alex Kramarov <alexincredimail.com> wrote:
[...]
> cat /etc/postfix/header_checks (on one line) :
>
> /^Content-(Type|Disposition):.*(file)?name=.*\.(com|exe|lnk|bat|scr|chm|hlp|hta|reg|shs|vbe|vbs|wsf|wsh|pif)/ REJECT Email rejected, an attachment with .${3} extension detected.
>
> from some reason, postfix doesn't catch the email sent by this worm -
> i have placed a sample of the email at
> http://mail.incredimail.com/worm_email.txt
>
> is it something missing on my end, or postfix doesn't recognise this
> email's mime headers as mime headers ?
The regexp does not allow for spaces around the equal sign. From your
mail:
Content-Disposition: attachment; FileName = "Hot_Show.pif"
Modifying the regexp to
/^Content-(Type|Disposition):.*(file)?name *= *.*\.(com|exe|lnk|bat|scr|chm|hlp|hta|reg|shs|vbe|vbs|wsf|wsh|pif)/ REJECT Email rejected, an attachment with .${3} extension detected.
ought to do the trick, assuming the matching is case-insensitive (which
it is at least for PCRE maps).
--
Magnus Bäck
magnusdsek.lth.se
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]