|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Battling SoBig.f induced bandwidth problems
From: Alex Kramarov (alex
incredimail.com)
Date: Wed Aug 20 2003 - 14:55:26 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Dear *Hobbit*,
My post was not to teach people how to block exe attachments, although i
already do that, and , in fact, one of the headerchecks i provided in my
initial post was in fact blocking all executable content, i have even
explicitly stated that. my post was how to counter the bandwidth problems
inflicted by SoBig.F, only. I suggest you read the thread again.
Alex.
----- Original Message -----
From: "*Hobbit*" <hobbitavian.org>
To: <alexincredimail.com>; <postfix-userspostfix.org>
Sent: Wednesday, August 20, 2003 12:05 PM
Subject: Re: Battling SoBig.f induced bandwidth problems
> Fighting it via Subject: headers, as I've pointed out privately to
> numerous people, is naive. You need to reject the EXECUTABLE CONTENT,
> and by that I mean ANY executable content, and back it up with a site
> policy that you don't accept executable attachments anymore, period. That
> means that the self-extracting-archive aficionados are SCREWED. Too bad,
> it's time to find a safer way to transfer your content. Throw 'em up
> on a webserver or something and point your correspondents at a URL.
>
> These two body_checks regexes detect several real-life observed VARIANTS
> of winbloze PE headers and are THE most reliable way I've found to nail
> this stuff:
>
> /^TV[nopqr]....[AB]..A.A....*AAAA...*AAAA/i REJECT EXE files denied
> /^M35[GHIJK].`..`..*````/i REJECT EXE files denied
>
> This deals with base64 and UUencoded attachments [they could come at
> you in either form, remember, and there may be others that LookOut
> auto-decodes behind your back].
>
> You should ALSO be checking/stripping/rejecting the attachment filenames,
> just to be extra-sure. I'm still waiting for when someone handcrafts
> an .exe header that somehow doesn't trigger on the standard PE header
> but still runs behind your back under LookOut.
>
> It may also be that .ZIP is now just as dangerous, but I haven't gotten
> coherent feedback on whether .exes inside .zip attachments can auto-run.
> If the end wetware goes to the trouble of clicking his way far enough
> to do it manually, then the problem exists elsewhere.
>
> _H*
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]