From: MrC (lists-postfixcappella.us)
Date: Thu Jan 24 2008 - 14:11:47 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Noel Jones wrote:
> Victor Duchovni wrote:
>> On Thu, Jan 24, 2008 at 02:37:59PM +0700, Truong Tan Son wrote:
>>
>
> Here again is the expression I've posted several times in the past.
> This includes all the extensions that Windows treats as "executable".
> (Note that Office documents can embed executables, and many other
> extensions auto-launch the registered program. But these extensions are
> executed directly, so are most dangerous).
>
> # block windows executables PCRE
> # the funky 'xdigit' expression is to catch Windows CLSID's
> /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
> ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
> hlp|ht[at]|
> inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
> \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
> ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
> vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
> REJECT Attachment name "$2" may not end with ".$4"
>

Since we're going the whole nine yards, here are a few other considerations:

+ Consider also asd|app|ani|cur|ico|emf|fxp|grp|mda|ocx|prg|wmf
+ Add app, and group adp, asp, app into a[dps]p
+ Add mda and mdz into md[abetwz]
+ Add prg and group prf and prg into pr[fg]
+ Group com and chm into c[oh]m
+ Group bas and bat into ba[st]
+ Group inf and ins into in[fs]

The updated expression is:

# block windows executables PCRE
# the funky 'xdigit' expression is to catch Windows CLSID's
/^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
  ade|a[dps]p|asd|ani|ba[st]|c[ho]m|cmd|cpl|crt|cur|dll|emf|exe|
  fxp|grp|hlp|ht[at]|
  ico|in[fs]|isp|jse?|lnk|md[abetwz]|ms[cipt]|nws|
  \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
  ocx|ops|pcd|pif|pr[fg]|reg|sc[frt]|sh[bsm]|swf|
  vb[esx]?|vxd|wmf|ws[cfh]))(\?=)?"?\s*(;|$)/x
   REJECT Attachment name "$2" may not end with ".$4"

MrC

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]