Blocking the weekly trojan with amavisd-new?

Thread: Blocking the weekly trojan with amavisd-new?

Search this list only Search all lists
Blocking the weekly trojan with amavisd-new?
Germany	2007-02-21 04:10:02
Recently, Germany has seen a flood of trojans, disguised as "invoice". They were sent as unencrypted ZIP archive which contains at least one file with a double extension: your_invoice.pdf.exe How can I block these with amavisd-new-2.4.5-rc1? -- Ralf Hildebrandt (i.A. des IT-Zentrums) Ralf.Hildebrandtcharite.de Charite - Universitätsmedizin Berlin Tel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-Berlin Fax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to plonkcharite.de ------------------------------------------------------------ ------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default. php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

Re: Blocking the weekly trojan with amavisd-new?
	2007-02-21 04:58:31
Ralf Hildebrandt schrieb: > Recently, Germany has seen a flood of trojans, disguised as "invoice". > They were sent as unencrypted ZIP archive which contains at least one > file with a double extension: > > your_invoice.pdf.exe > > How can I block these with amavisd-new-2.4.5-rc1? > Hi, one way is to use the [$banned_filename_re] directive that checks for double extensions, too. By doing it this way, all [filename.xxx.exe] attachments are banned. We're using it permanently to cover the period until a appropriate virus definition is published. Cheers, Christian -- =========================================================== Christian Rost roCon - Informationstechnologie Glatzer Weg 4 44534 Lünen fon: +49 (0) 2306 910 658 fax: +49 (0) 2306 910 664 url: http://www.rocon-it.de ------------------------------------------------------------ ------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default. php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

Re: Blocking the weekly trojan with amavisd-new?
Slovenia	2007-02-21 06:30:48
Ralf, > Recently, Germany has seen a flood of trojans, disguised as "invoice". > They were sent as unencrypted ZIP archive which contains at least one > file with a double extension: your_invoice.pdf.exe > How can I block these with amavisd-new-2.4.5-rc1? $banned_filename_re = new_RE( qr'^your_invoice.pdf.exe$', # trojan ... ); Mark ------------------------------------------------------------ ------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default. php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

Re: Blocking the weekly trojan with amavisd-new?
Germany	2007-02-21 06:34:26
* Mark Martinec <Mark.Martinec+amavisijs.si>: > $banned_filename_re = new_RE( > > qr'^your_invoice.pdf.exe$', # trojan > > ... > ); And of course I need $final_banned_destiny = D_DISCARD; instead of my $final_banned_destiny = D_PASS; I also activated: $banned_quarantine_to = 'quarantinemailboxcharite.de' Question: Does banned_filename_re also REALLY apply to your_invoice.pdf.exe within a ZIP archive, since $banned_filename_re lists further down: [ qr'^.(zip\|rar\|arc\|arj\|zoo)$'=> 0 ], # allow any type within such archives (or do the patterns apply on a first match wins basis?) -- Ralf Hildebrandt (i.A. des IT-Zentrums) Ralf.Hildebrandtcharite.de Charite - Universitätsmedizin Berlin Tel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-Berlin Fax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to plonkcharite.de ------------------------------------------------------------ ------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default. php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

Re: Blocking the weekly trojan with amavisd-new?
Germany	2007-02-21 07:35:51
* Ralf Hildebrandt <Ralf.Hildebrandtcharite.de>: > Question: Does banned_filename_re also REALLY apply to > your_invoice.pdf.exe > within a ZIP archive, since $banned_filename_re lists further down: Yes it does. I just tried that. Excellent. -- Ralf Hildebrandt (i.A. des IT-Zentrums) Ralf.Hildebrandtcharite.de Charite - Universitätsmedizin Berlin Tel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-Berlin Fax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to plonkcharite.de ------------------------------------------------------------ ------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default. php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

Re: Blocking the weekly trojan with amavisd-new?
Slovenia	2007-02-21 08:21:34
Ralf, > Question: Does banned_filename_re also REALLY apply to > your_invoice.pdf.exe > within a ZIP archive, since $banned_filename_re lists further down: First match wins. Order banning rules according to needs. Mark ------------------------------------------------------------ ------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default. php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

[1-6]

about | contact Other archives ( Real Estate discussion Medical topics )