[Esd-l] URG: Updated novarg local rule for sanitizer

Philip Choy plchoy at income.com.sg
Tue Jan 27 10:06:30 PST 2004 

That is what i did.

That is what i did to filter all those novarg esp hated bounced mails
containing zip files.

:0BD
* ^UEsDBAoAAAAAA
* ^(ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA|
ALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAqAAAAAAAAAAAAAAA
|
AAAAA|
uAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACoAAAAAAAAAAAAAAAA
)
/filtered

Once u r satisfied with it, u may replace /filtered with /dev/null to save
disk space.

Phil.



----- Original Message ----- 
From: "John D. Hardin" <jhardin at impsec.org>
To: "Email Security Discussion list" <Esd-l at spconnect.com>
Sent: Tuesday, January 27, 2004 10:08 PM
Subject: [Esd-l] URG: Updated novarg local rule for sanitizer


> All:
>
> Based on what made it through overnight I have updated the rule a bit.
> See the attachment or grab the recommended rules file.
>
> Unfortunately it seems to be using some random filenames, so I will be
> looking for signature strings in the base64 attachment body. Keying
> off the filename won't be enough.
>
> You may wish to consider adding "zip" to your local non-whitelisted
> mangle extensions list for a week or so until this starts to die down.
>
> --
>  John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
>  jhardin at impsec.org                        pgpk -a jhardin at impsec.org
>  key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
>   "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
>   does quite what I want. I wish Christopher Robin was here."
> -- Peter da Silva in a.s.r
> -----------------------------------------------------------------------
>    67 days until the Slovakian Presidential Election
>


----------------------------------------------------------------------------
----


> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l
>

More information about the esd-l mailing list