On Fri, Sep 26, 2003 at 12:54:42PM -0400, Derrick 'dman' Hudson wrote: > On Thu, Sep 25, 2003 at 11:39:08PM -0700, Ross Boylan wrote: > > | I just received a MS upgrade worm that appears to have a complete > | executable that's 0.1k. So the whole message is quite brief. > > Are you sure there was really an executable in that message? I've > received quite a few similar messages, except there is absolutely no > content in the .exe mime part. There was an .exe file that mutt said was .1k. I didn't try to actually run it. I figured it probably connects to the net and bootstraps the whole virus.
> > BTW, a rule like this in your mail system's mime header checks is > quite effective against certain forms of trash : > /^Content-Type: .*x-(?:wav|midi);.*\.exe\b/ DISCARD LookOut! exploit > /^Content-Type: .*x-wav;.*\.txt\b/ DISCARD LookOut! exploit > (this particular syntax is a pcre map in postfix (>= 2.0) mime_header_checks) Thanks. I'm still getting the hang of how far mailfilter can look down in the message. I also wish it had a more sophisticated control syntax with if's, and's, or's... > > -D > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
