[Esa-l] Re: Idea: Multiple extension detector

John D. Hardin jhardin at wolfenet.com
Mon Jun 12 12:13:15 PDT 2000

On Sun, 11 Jun 2000, Brett Glass wrote:

> >Not so new. All of the .VBS worms were written that way too.
> That's where they got the idea.
> >Interesting idea. I don't think the current version could do it too
> >well, but there's a simple way to put that into your poisoned-files
> >list, assuming you don't want to poison *all* .EXE attachments:
> >
> >   *.[a-z0-9]+.exe
> Doesn't one need to "escape" the dots? (One would in a Perl regular
> expression, but I haven't checked to see whether your pattern language
> is different.)

The syntax of the poisoned-files list is a hybrid of standard regular
expressions and standard file globbing - I wanted it to look more like
extended file globbing than regular expressions, and entries get
interpreted a little before the comparison. Periods may be bare, they
will be escaped for the filename comparison RE; * and ? will be
converted to .* and .? for the RE.

After a bit of thought, a better version of the above is:


Since the poisoning is only done on executable extensions, this will
catch (for example) "fnord.txt.com" (assuming you don't already poison

 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at wolfenet.com      pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
   139 days until Daylight Savings Time ends

More information about the esd-l mailing list