|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: mimail pattern?
From: Jim Seymour (jseymour
LinxNet.com)
Date: Fri Aug 01 2003 - 20:24:14 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mark Jeftovic <markjeftovic.net> wrote:
>
>
>
> I should have put in disclaimers, do your own DD, no warranties,
> remove cellophane before eating, your milage may vary, etc.
Same here :)
>
> But so far this is working for me, although I can think of various ways
> it could be tightened up as a pattern.
>
> -mark
>
> On Fri, 1 Aug 2003, Mark Jeftovic wrote:
>
> >
> >
> > I've noticed the subject line is "your account" followed by a bunch
> > of spaces and then 8 random characters.
> >
> > So far this is working for me:
> >
> > /^Subject: your account\s{5,}.{8,8}/ REJECT Mimail Virus Detected
[snip]
>
Just one minor change...
# mimail
/^Subject:\s+.*your account\s{5,}.{8}/ REJECT
/^Content-(Disposition|Type):\s+.*?(file)?name="?.*?message\.zip/ REJECT
# end mimail
And an expression for the attachment. (If you have a separate
mime_header_checks file, the second one goes there.)
They're also PCREs.
Usual disclaimer: YMMV. Caveat Emptor. No warranty, expressed or
implied, as to fitness for any particular use. It's worth what you
paid for it. Etc.
Btw: I leave this one in all the time...
# *Any* zip file: just log a warning...
/^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.zip\b/ WARN
...ever since Sobig.E came as a .zip. This way I know if a particular
.zip file got past before I got the new filter in. For example: Today,
after I found out about message.zip, after I put the new expression in
I grepped the maillogs for message.zip.
--
Jim Seymour | PGP Public Key available at:
jseymourLinxNet.com | http://www.uk.pgp.net/pgpnet/pks-commands.html
http://jimsun.LinxNet.com |
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]