[Esd-l] Procmail Sanitizer local rule for SoBig .ZIP worm
John D. Hardin
jhardin at impsec.org
Fri Jun 27 12:52:00 PDT 2003
On Fri, 27 Jun 2003, Smart,Dan wrote:
> I reading the syntax for the poisoned and stripped, the "." is
> replaced by the "?" operator. Is there an operator the 0 or 1
> instance function of the normal "?" operator?
No, sorry, that's lost during the conversion.
> Also, you have *.exe in the poisoned list, but also have specific
> entries like *.[a-z][a-z][a-z0-9].exe and amateurs.exe. Isn't
> that redundant. Won't *.exe catch anything ending in .exe?
It is, but somebody who grabs the sample list but does not want to
poison all .EXE files can delete that link and still have a list of
known attacks.
These days it's kinda pointless, I agree.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The fetters imposed on liberty at home have ever been forged out
of the weapons provided for defense against real, pretended, or
imaginary dangers from abroad.
-- James Madison, 1799
-----------------------------------------------------------------------
494 days until the Presidential Election
More information about the esd-l
mailing list