[Esd-l] SWEN identifier: TO/FROM/SUBJECT
John D. Hardin
jhardin at impsec.org
Wed Sep 24 05:53:15 PDT 2003
On Wed, 24 Sep 2003, Jethro R Binks wrote:
> > However, the attachment always starts with "TVqQAAMAAAAEAAAA".
>
> Most executables do. At this site, we currently have a policy of
> disallowing incoming Windows executables, and we do this with the
> following rule in an exim ACL, which looks for a blank line followed by
> one of these strings (may not be a complete list - replace the ".." with
> " " (space space)):
>
> deny message = This message appears to contain a file that is \
> considered executable by MS Windows.\n\
> Our policy is to not accept such files.
> condition = ${if or { \
> { match{$message_body:}{..TVqQAAMAA} } \
> { match{$message_body:}{..TVpQAAIAA} } \
> { match{$message_body:}{..TVpAALQAc} } \
> { match{$message_body:}{..TVrmAU4AA} } \
> { match{$message_body:}{..TVrhARwAk} } \
> { match{$message_body:}{..TVoFAQUAA} } \
> { match{$message_body:}{..TVoAAAQAA} } \
> { match{$message_body:}{..TVoAAAQAA} } \
> { match{$message_body:}{..TVoIARMAA} } \
> { match{$message_body:}{..TVrQAT8AA} } \
> { match{$message_body:}{..TVpyAXkAX} } \
> }{yes}{no}}
Similar tests are in the "Windows Executable Magic" filter in the
sanitizer.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
43 days until Matrix Revolutions
More information about the esd-l
mailing list