[Esd-l] URG: Updated novarg local rule for sanitizer
Philip Choy
plchoy at income.com.sg
Tue Jan 27 10:06:30 PST 2004
That is what i did.
That is what i did to filter all those novarg esp hated bounced mails
containing zip files.
:0BD
* ^UEsDBAoAAAAAA
* ^(ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA|
ALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAqAAAAAAAAAAAAAAA
|
AAAAA|
uAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACoAAAAAAAAAAAAAAAA
)
/filtered
Once u r satisfied with it, u may replace /filtered with /dev/null to save
disk space.
Phil.
----- Original Message -----
From: "John D. Hardin" <jhardin at impsec.org>
To: "Email Security Discussion list" <Esd-l at spconnect.com>
Sent: Tuesday, January 27, 2004 10:08 PM
Subject: [Esd-l] URG: Updated novarg local rule for sanitizer
> All:
>
> Based on what made it through overnight I have updated the rule a bit.
> See the attachment or grab the recommended rules file.
>
> Unfortunately it seems to be using some random filenames, so I will be
> looking for signature strings in the base64 attachment body. Keying
> off the filename won't be enough.
>
> You may wish to consider adding "zip" to your local non-whitelisted
> mangle extensions list for a week or so until this starts to die down.
>
> --
> John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
> jhardin at impsec.org pgpk -a jhardin at impsec.org
> key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
> does quite what I want. I wish Christopher Robin was here."
> -- Peter da Silva in a.s.r
> -----------------------------------------------------------------------
> 67 days until the Slovakian Presidential Election
>
----------------------------------------------------------------------------
----
> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l
>
More information about the esd-l
mailing list