[Esd-l] Procmail Sanitizer local rule for SoBig .ZIP worm
Smart,Dan
SmartD at VMCMAIL.com
Fri Jun 27 07:46:19 PDT 2003
John, one more question.
I reading the syntax for the poisoned and stripped, the "." is replaced by
the "?" operator. Is there an operator the 0 or 1 instance function of the
normal "?" operator?
Also, you have *.exe in the poisoned list, but also have specific entries
like *.[a-z][a-z][a-z0-9].exe and amateurs.exe. Isn't that redundant.
Won't *.exe catch anything ending in .exe?
TIA
<<Dan>>
|
| -----Original Message-----
| From: John D. Hardin [mailto:jhardin at impsec.org]
| Sent: Thursday, June 26, 2003 5:05 PM
| To: Smart,Dan
| Cc: Email Security Discussion list
|
| On Thu, 26 Jun 2003, Smart,Dan wrote:
|
| > Can I do the same with the sendmail test, remove hfi from the first
| > condition, and put it before the formail commands...
| >
| > :0
| > *
| >
| ^((resent-)?(sender|from|(reply-)?to|cc|bcc)|(errors|disposition-notif
| > icatio
| > n|apparently)-to|Return-Path): .*<>.*<>.*<>.*<>.*<>.*\(.*\)
| > {
| > LOG="TRAPPED: Probable sendmail header exploit"
| > :0 hfi
| > | formail -A "X-Content-Security: [$HOST] NOTIFY" \
| > -A "X-Content-Security: [$HOST] QUARANTINE" \
| > -A "X-Content-Security: [$HOST] REPORT: Trapped
| possible
| > sendmail header exploit"
| > }
|
| That should work.
|
| --
| John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
| jhardin at impsec.org pgpk -a jhardin at impsec.org
| key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
| --------------------------------------------------------------
| ---------
| The fetters imposed on liberty at home have ever been forged out
| of the weapons provided for defense against real, pretended, or
| imaginary dangers from abroad.
| -- James Madison, 1799
| --------------------------------------------------------------
| ---------
| 495 days until the Presidential Election
|
More information about the esd-l
mailing list