Re: Warning Worm/MyDoom.A1 spreading very fast!
This is a discussion on Re: Warning Worm/MyDoom.A1 spreading very fast! within the mailing.postfix.users forums, part of the Mail Servers and Related category; Toens Bueker wrote: > Paul Robertson <proberts@patriot.net> wrote: > > >>>Yeah im trying ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-27-2004
|
|||
|
|||
Re: Warning Worm/MyDoom.A1 spreading very fast!
Toens Bueker wrote:
> Paul Robertson <proberts@patriot.net> wrote: > > >>>Yeah im trying to think of a decent procmail script to remove >>>these...but I don't think its possible unless you just block the .zip >>>files completly >> >>It's not always a zip, it does other extensions as well, from a small >>sampling: >> >> 8 bat >> 13 cmd >> 30 exe >> 130 pif >> 117 scr >> 473 zip >>. >> >>(Look for strings in the bottom of the message attachments if you want to >>procmail it- strings there don't change as much.) > > > Hm. I could detect only one similarity: All mails > containing a zipped attachment used either > > charset="Windows-1252" > or > charset=windows-1252 > > together with > > Content-Transfer-Encoding: 7bit Hmm, thanks for the research, I'll see how that goes. I block all but ..zip files these days, so I'll have a look at that. If anyone already has robust header_checks or body_checks recipes could they post them in this thread? Thanks, David -- Commercial OS breeds commerce, whereas free OS breeds freedom, the only thing more dangerous and confusing than commerce. -- Michael R. Jinks, redhat-list, circa 1997 
|
Linear Mode
