[Esd-l] ZIP scanning, take two (repost)
Simon Matthews
simon at paxonet.com
Sun Feb 22 18:58:04 PST 2004
John,
On Sun, 22 Feb 2004, John D. Hardin wrote:
> Okay, the list seems to be working again...
Did it ever stop, or was it just your own email that was not working?
>
> Example zip file policy (say you get libraries from Borland for
> testing):
>
> # default to not trusting ZIPs at all
> ZIPPED_EXECUTABLES=$POISONED_EXECUTABLES
>
> :0
> * ^From: .*@borland.com
> {
> # accept zipped .DLL files from Borland
> ZIPPED_EXECUTABLES="poisoned_list_except_for_*.dll_filespec"
> }
While this will work, it has some limitations. Most likely people will
want to accept more filetypes from their own domain name, yet forging the
"From" is common and we have one virus that uses
"james@<recipient's domain name>"
Could it be possible to change the banned filenames if the email is
received from a trusted IP address? For example, from within the LAN or
WAN? You could probably lift the code from SpamAssassin that deals with
"trusted networks".
Simon
More information about the esd-l
mailing list