On Sat, February 23, 2008 15:52, Dave Koontz wrote: > I am still getting some Storm Worm messages that are not being caught, > even with Sane Security / ClamAV. I thought I'd write a rule to score > any URL that has a dot exe, scr or pif extension. However, my rule is > not working. Can someone help advise what is wrong? I want it to > pickup any http or https with those extensions. > > body Dangerous_URL /http{1,200}\.(?:exe|scr|pif)/i > describe Dangerous_URL Dangerous URL > score Dangerous_URL 7.5
have you tested if the antivirus plugin caught it ? below here is what i have in postfix mime_header_checks /filename=\"?(.*)\.(bat|chm|cmd|com|do|exe|hta|jse|rm|scr|pif|vbe|vbs|vxd|xl)\"?$/ REJECT For security reasons we reject attachments of this type /^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\.(cpl|lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wav|mov|wmf|xl))"?\s*$/ REJECT Attachment type not allowed. File "$2" has the unacceptable extension "$3" take care of line wraps