|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Security : WORM_HOLAR.H mass mailing gets past header_checks
From: Alex Kramarov (alex
incredimail.com)
Date: Mon Jun 02 2003 - 09:50:07 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> cat /etc/postfix/header_checks (on one line) :
>
>
/^Content-(Type|Disposition):.*(file)?name=.*\.(com|exe|lnk|bat|scr|chm|hlp|
hta|reg|shs|vbe|vbs|wsf|wsh|pif)/ REJECT Email rejected, an attachment
with .${3} extension detected.
>
> from some reason, postfix doesn't catch the email sent by this worm -
> i have placed a sample of the email at
> http://mail.incredimail.com/worm_email.txt
>
> is it something missing on my end, or postfix doesn't recognise this
> email's mime headers as mime headers ?
>The regexp does not allow for spaces around the equal sign. From your
>mail:
>
>Content-Disposition: attachment; FileName = "Hot_Show.pif"
>
>Modifying the regexp to
>
>/^Content-(Type|Disposition):.*(file)?name *=
*.*\.(com|exe|lnk|bat|scr|chm|hlp|hta|reg|shs|vbe|vbs|wsf|wsh|pif)/
REJECT Email rejected, an attachment with .${3} extension detected.
>
>ought to do the trick, assuming the matching is case-insensitive (which
>it is at least for PCRE maps).
>
>--
>Magnus Bäck
>magnusdsek.lth.se
You right, of course. I snagged that regexp from the list, and it wasn't
perfect. Now it's better, thank you ;) Well, at least this is not a postfix
security problem, but only my config's.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]