I've modified mimedefang-filter so it blocks ZIP files with executables. I't ugly as hell (I do not know perl - it's copy-paste programming) but it works. It uses zipinfo command to extract filenames. Have a look at the diff below.
It blocks all recent Mydoom mails. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh --- mimedefang-filter.orig Tue Jan 27 16:45:56 2004 +++ mimedefang-filter Tue Jan 27 16:49:42 2004 @@ -148,6 +148,46 @@ return (wantarray ? (0, 'ok', 'ok') : 0); } +sub zip_filter_bad_filename ($) { + my($entity) = @_; + unless ( re_match($entity, '\.' . 'zip' . '\.*([^-A-Za-z0-9_.,]|$)') ) { + return 0; + } + + my($body) = $entity->bodyhandle; + if (!defined($body)) { + return 0; + } + + # Get filename + my($path) = $body->path; + if (!defined($path)) { + return 1; + } + + # Run zipinfo + my($code, $category, $action) = + run_virus_scanner( "zipinfo $path" ); + if ($action ne 'proceed') { + return $code; + } + if ($code) { + return $code; + } + + # Bad extensions + $bad_exts = '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|\{[^\}]+\})'; + + # Do not allow: + # - CLSIDs {foobarbaz} + # - bad extensions (possibly with trailing dots) at end or + # followed by non-alphanum + $re = '\.' . $bad_exts . '\.*([^-A-Za-z0-9_.,]|$)'; + return 1 if $VirusScannerMessages =~ /$re/i; + + return 0; +} + #*********************************************************************** # %PROCEDURE: filter_begin # %ARGUMENTS: @@ -243,6 +283,12 @@ if (filter_bad_filename($entity)) { md_graphdefang_log('bad_filename', $fname, $type); return action_quarantine($entity, "An attachment named $fname was removed from this document as it\nconstituted a security hazard. If you require this document, please contact\nthe sender and arrange an alternate means of receiving it.\n"); + } + + if (zip_filter_bad_filename($entity)) { + md_graphdefang_log('bad_filename', $fname, $type); + action_bounce("Access denied. Archive $fname with not allowed file(s).", "554", "5.7.1"); + return action_discard(); } # eml is bad if it's not multipart _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang