[Mimedefang] Danger of .vcs files?
Matthew.van.Eerde at hbinc.com
Matthew.van.Eerde at hbinc.com
Thu Sep 30 14:47:30 EDT 2004
Jason Gurtz wrote:
> On 9/30/2004 13:45, Jim McCullars wrote:
>>
>> On Thu, 30 Sep 2004, Stephen J Smoogen wrote:
>>
>>>> about 10 or so that are commonly used to send mail bombs. .vcf
>>>> isn't one of them.
>>>
>>> Which 10?
>>
>> Well, at the risk of exposing by backside:
>
> Can't remember what the default are but I've added a couple here and
> there. Here's what I use (Perl string concatenated for email
> readability):
>
> $bad_exts = '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|' .
> 'dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|' .
>
> 'mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|' .
>
> 'shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|' .
> 'wsh|\{[^\}]+\})';
>
Here's mine, since we're sharing
The first chunk is the default
The second is my additions
I'm considering removing jpg and jpeg once either
(a) I'm convinced the GDI+ update has been widely applied
(b) ClamAV 0.8 is released so I can use their Exploit.JPEG antivirus definition
my @bad = qw(
ade adp app asd asf asx bas bat chm cmd com cpl crt dll exe fxp hlp hta
hto inf ini ins isp js jse lib lnk mdb mde msc msi msp mst ocx pcd pif
prg reg scr sct sh shb shs sys url vb vbe vbs vcs vxd wmd wms wmz wsc
wsf wsh
htm html
zip rar sit cpt hqx
jpg jpeg
);
my $bad_exts = "(" . join("|", @bad, "\{[^\}]+\}") . ")";
It's rather extreme, I know... but I do a pre-scan for known virii with clamav-milter, which catches most of the well-established viruses that have known definitions. Also I have a streamlined unquarantining mechanism that just takes a few seconds for the mail admin.
Matthew.van.Eerde at hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
More information about the MIMEDefang
mailing list