[unisog] Sendmail Filter for Sircam

Paul L Schmehl pauls at utdallas.edu
Wed Aug 1 18:53:53 GMT 2001


Please note that if you grep for application/octet-stream you will miss a 
*lot* of Magistr.  Magistr frequently comes in as image/gif, but the 
attachment is an executable.  Also, not blocking .exe is, IMNSHO, a 
mistake.  Fully 50% of the viruses we bounce are .exes (at least they were 
until SirCam blew all my stats out of the water.

For a good idea of what's hitting your gateway see:
http://www.utdallas.edu/ir/tcs/techsupp/email_blocks.html

And if you want to see what we're doing to stop viruses, see:
http://www.utdallas.edu/ir/tcs/techsupp/blocks.html

--On Tuesday, July 31, 2001 11:59 AM -0400 Alex <fletchra at post.queensu.ca> 
wrote:

> :0 E
> *^Content-type: (multipart/mixed|application/octet-stream)
> {
>   :0 HB
>   *^Content-Disposition: (attachment|inline);
>   *filename=".*\.(vbs|wsf|vbe|wsh|hta|pif|bat|lnk)"
>   {
>     SHELL=/bin/sh
>     :0 fhbw
>     |/usr/bin/sed -e 's/\([nN][aA][mM][eE]=".*\....\)"/\1.txt"/'
>
>     :0 c
>     $VIR_DIR/virusmail
>   }
> }
>
>



Paul L. Schmehl, pauls at utdallas.edu
http://www.utdallas.edu/~pauls/
Supervisor, Support Services
The University of Texas at Dallas
AVIEN Founding Member



More information about the unisog mailing list