[Esd-l] Re: Procmail Sanitizer local rule for SoBig .ZIP worm
John D. Hardin
jhardin at impsec.org
Fri Jun 27 13:00:39 PDT 2003
On Fri, 27 Jun 2003, Aaron Gladders wrote:
> Today a user complained of a SoBig worm getting through - it was
> because the attachment was labeled "your_details8.zip"
Any static pattern rule will rot.
I recommend the following change:
* 987654321^1 ^Content-(Type|Disposition):.*$.*name *= *"?(your_details|application|document|screensaver|movie)[0-9]*\.zip"?
* 987654321^1 ^Content-(Type|Disposition):.*name *= *"?(your_details|application|document|screensaver|movie)[0-9]*\.zip"?
Note the addition of [0-9]*
Thanks, Aaron!
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The fetters imposed on liberty at home have ever been forged out
of the weapons provided for defense against real, pretended, or
imaginary dangers from abroad.
-- James Madison, 1799
-----------------------------------------------------------------------
494 days until the Presidential Election
More information about the esd-l
mailing list