Thread: Re: META: Filtering viruses/worms

Re: META: Filtering viruses/worms

From
"Magnus Hagander"
Date:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> > > X-Virus-Scanned: by amavisd-new at postgresql.org
> >
> > Since "amavisd" does not appear to be catching the latest worm, how
> > about filtering on size? Anything, say, over 20K will be held for
> > approval. Here are the top posts by size to this list recently:
>
> The problem is, where do we stop?  Tom pop'd me off a note
> about it yesterday, and we drop'd it from 40k to 30k ... :(

A quick stop-gap is to block all ZIPs. We don't usually see a lot of ZIP
attachments on these lists, IIRC.

If I'm not mistaken, you run postfix on the server for the lists. The
something along:
/etc/postfix/main.cf:
 mime_header_checks = pcre:/etc/postfix/mime_header_checks

/etc/postfix/mime_header_checks:
 /name=[^>]*\.(zip|exe|com|vbs)/ REJECT Potentially dangerous file
attachment.

Remove initial spaces, of course. And add/remove any other extensions
you need.


//Magnus

Re: META: Filtering viruses/worms

From
"Marc G. Fournier"
Date:
perfect, thanks ... added ...

On Thu, 4 Mar 2004, Magnus Hagander wrote:

> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > >
> > > > X-Virus-Scanned: by amavisd-new at postgresql.org
> > >
> > > Since "amavisd" does not appear to be catching the latest worm, how
> > > about filtering on size? Anything, say, over 20K will be held for
> > > approval. Here are the top posts by size to this list recently:
> >
> > The problem is, where do we stop?  Tom pop'd me off a note
> > about it yesterday, and we drop'd it from 40k to 30k ... :(
>
> A quick stop-gap is to block all ZIPs. We don't usually see a lot of ZIP
> attachments on these lists, IIRC.
>
> If I'm not mistaken, you run postfix on the server for the lists. The
> something along:
> /etc/postfix/main.cf:
>  mime_header_checks = pcre:/etc/postfix/mime_header_checks
>
> /etc/postfix/mime_header_checks:
>  /name=[^>]*\.(zip|exe|com|vbs)/ REJECT Potentially dangerous file
> attachment.
>
> Remove initial spaces, of course. And add/remove any other extensions
> you need.
>
>
> //Magnus
>

----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email: scrappy@hub.org           Yahoo!: yscrappy              ICQ: 7615664