|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Warning Worm/MyDoom.A1 spreading very fast!
From: Mike Vanecek (postfix_list
mm-vanecek.cc)
Date: Mon Feb 02 2004 - 12:24:56 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, 30 Jan 2004 22:57:49 +0100, Luca Berra wrote
> On Wed, Jan 28, 2004 at 03:50:30PM -0600, Mike Vanecek wrote:
> >/AAAAAAAAyAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9n...........
> > DISCARD VIRUS (W32/BagleMM)
> >
> shouldn't this expression be tied to the beginning of the line?
> /^AAAAAAAAyAAAAA4fug4AtAnNIbgBTM0hVGhpcyB......
>
> else it would be impossible following this thread
>On Fri, 30 Jan 2004 23:17:35 +0100, Luca Berra wrote
>> On Wed, Jan 28, 2004 at 03:50:30PM -0600, Mike Vanecek wrote:
>>
>>/^(UEsDBAoAAAAAA|ApIAUCZKAEAD\/bJpmiwQBPQl6AEAS85pmm7ZH8gqwAO4sKimaZqmoJiQiICapmmaeHBoYFhQzWCf)/
>> > DISCARD VIRUS (W32/MydoomMM)
>>
>> and this rule sucks,
>> it effectively blocks message based only on "UEsDBAoAAAAAA" which is
>> far too common in zip files to be a valid pattern....
On Sat, 31 Jan 2004 15:40:51 +0100, Loic Minier wrote
> Luca Berra <blucacomedia.it> - Fri, Jan 30, 2004:
>
> > shouldn't this expression be tied to the beginning of the line?
>
> yes it should, this is a line of a base64 attachment.
>
> > else it would be impossible following this thread
>
> It should not be a problem since MUA should not send bodies with
> more than 72 chars on the same line.
I found the original poster that suggested the body_checks. He agreed about
the comments and created updated ones at:
http://psi.com.br/~julio/postfix/body_checks
His posts on the topic can be found at:
http://marc.theaimsgroup.com/?l=amavis-user&m=107551936328982&w=2
http://marc.theaimsgroup.com/?l=amavis-user&m=107553025605391&w=2
HTHs & YMMV.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]