On Sat, February 23, 2008 15:52, Dave Koontz wrote:
> I am still getting some Storm Worm messages that are not being caught,
> even with Sane Security / ClamAV. I thought I'd write a rule to score
> any URL that has a dot exe, scr or pif extension. However, my rule is
> not working. Can someone help advise what is wrong? I want it to
> pickup any http or https with those extensions.
>
> body Dangerous_URL /http{1,200}\.(?:exe|scr|pif)/i
> describe Dangerous_URL Dangerous URL
> score Dangerous_URL 7.5
have you tested if the antivirus plugin caught it ?
below here is what i have in postfix mime_header_checks
/filename=\"?(.*)\.(bat|chm|cmd|com|do|exe|hta|jse|rm|scr|pif|vbe|vbs|vxd|xl)\"?$/
REJECT For security reasons we reject attachments of this type
/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\.(cpl|lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wav|mov|wmf|xl))"?\s*$/
REJECT Attachment type not allowed. File "$2" has the unacceptable extension
"$3"
take care of line wraps
