[Esd-l] SWEN identifier: TO/FROM/SUBJECT
Jethro R Binks
jethro.binks at strath.ac.uk
Wed Sep 24 05:18:12 PDT 2003
On Wed, 24 Sep 2003, Scott Taylor wrote:
> On Tue, 23 Sep 2003, John Downing wrote:
>
> Same here. However, the attachment always starts with "TVqQAAMAAAAEAAAA".
Most executables do. At this site, we currently have a policy of
disallowing incoming Windows executables, and we do this with the
following rule in an exim ACL, which looks for a blank line followed by
one of these strings (may not be a complete list - replace the ".." with
" " (space space)):
deny message = This message appears to contain a file that is \
considered executable by MS Windows.\n\
Our policy is to not accept such files.
condition = ${if or { \
{ match{$message_body:}{..TVqQAAMAA} } \
{ match{$message_body:}{..TVpQAAIAA} } \
{ match{$message_body:}{..TVpAALQAc} } \
{ match{$message_body:}{..TVrmAU4AA} } \
{ match{$message_body:}{..TVrhARwAk} } \
{ match{$message_body:}{..TVoFAQUAA} } \
{ match{$message_body:}{..TVoAAAQAA} } \
{ match{$message_body:}{..TVoAAAQAA} } \
{ match{$message_body:}{..TVoIARMAA} } \
{ match{$message_body:}{..TVrQAT8AA} } \
{ match{$message_body:}{..TVpyAXkAX} } \
}{yes}{no}}
Jethro.
>
> Although, I fail to see what difference it makes as John's Sanitizer rules
> pick it up every time.
>
>
>
> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l
>
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK
More information about the esd-l
mailing list