[Esd-l] ZIP scanning, take two (repost)

Simon Matthews simon at paxonet.com
Sun Feb 22 18:58:04 PST 2004


On Sun, 22 Feb 2004, John D. Hardin wrote:

> Okay, the list seems to be working again...

Did it ever stop, or was it just your own email that was not working?

> Example zip file policy (say you get libraries from Borland for
> testing):
>   # default to not trusting ZIPs at all
>   :0
>   * ^From: .*@borland.com
>   {
>     # accept zipped .DLL files from Borland
>     ZIPPED_EXECUTABLES="poisoned_list_except_for_*.dll_filespec"
>   }

While this will work, it has some limitations. Most likely people will 
want to accept more filetypes from their own domain name, yet forging the 
"From" is common and we have one virus that uses 
"james@<recipient's domain name>"

Could it be possible to change the banned filenames if the email is 
received from a trusted IP address? For example, from within the LAN or 
WAN? You could probably lift the  code from SpamAssassin that deals with 
"trusted networks". 


More information about the esd-l mailing list