On 9/28/10 9:14 AM, "Dennis Peterson" <denni...@inetnw.com> wrote:
> On 9/28/10 5:40 AM, Daniel McDonald wrote: >> >> >> >> On 9/28/10 2:05 AM, "Dennis Peterson"<denni...@inetnw.com> wrote: >> >>> On 9/27/10 11:55 PM, Török Edwin wrote: >>>> On Tue, 28 Sep 2010 04:36:15 +0200 >>> >>>> If you want to reject by content, you can do that as well (only for >>>> nonencrypted archives of course) by writing a signature for your >>>> filetype, and treating it as if it was a virus. >>> >>> Rather than depend on file extensions that are rather meaningless, it seems >>> a >>> better idea to build a Kessler signature file using file signatures from >>> this >>> list: >>> >>> http://www.garykessler.net/library/file_sigs.html >>> >> >> Amavisd-new gets around that by calling file and adding the type returned as >> meta-data that can be matched. So, embed an .emf with no extension in an >> .xlsx? Amavis will recognize it as an .emf in a zip archive. >> > > Gary's list is one of the resources used in the file utility. But some file > programs have not been updated in a long time. Solaris 10's /etc/magic file is > dated 2006, for example, and Solaris 9 is from Y2K. My OS X Snow Leopard magic > files are dated May 18, 2009, and RHEL5 are April, 2009. It would be a good > idea Good call. I checked Mandriva Enterprise Server and the distro provided version 4.23, from late 2008. I've upgraded to file 5.0.4, the most recent released by the file project, with a release date in 2010. > to take some ownership of that by way of checking file types that may interest > you and your mail users. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml