[Esd-l]
Smart,Dan
SmartD at VMCMAIL.com
Wed Feb 25 06:56:48 PST 2004
Just replaces local-rules, not html-trap.
Lets me kill viruses up front, and logs them so I get some stats.
I'm running nkvir --> html-trap --> spamassassin for a complete package.
<<Dan>>
| -----Original Message-----
| From: John D. Hardin [mailto:jhardin at impsec.org]
| Sent: Wednesday, February 25, 2004 8:31 AM
| To: Smart,Dan
| Cc: Simon Matthews; esd-l at spconnect.com
| Subject: RE: [Esd-l]
|
| On Tue, 24 Feb 2004, Smart,Dan wrote:
|
| > Look at Nikes recipe for good tags
| > (Or use it as is like I do)
| > http://agriroot.aua.gr/~nikant/nkvir/
|
| I took a look at that, and I couldn't clearly see any generic
| Windows executable signature strings. It looks like basically:
|
| 1) test (using straight procmail) for MIME headers about an
| executable attachment, then
|
| 2) scan for signature strings to identify which specific attack
|
| Those rules look like a limited subset of what the Sanitizer
| already does. I've discussed before why pure procmail cannot
| reliably detect attachment-based attacks.
|
| --
| John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
| jhardin at impsec.org pgpk -a jhardin at impsec.org
| key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
| --------------------------------------------------------------
| ---------
| "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
| does quite what I want. I wish Christopher Robin was here."
| -- Peter da Silva in a.s.r
| --------------------------------------------------------------
| ---------
| 38 days until the Slovakian Presidential Election
|
More information about the esd-l
mailing list