On Tue, 2003-09-23 at 09:04, Vaclav Brunnhofer wrote:
recently I have introduced to postfix the mime_header_check with the rule to bounce messages including attachments with executable files based on a suggestion in this list. I have tested that and it seemed to work fine. Nevertheless since Sunday I am receiving (and other users of the server, too) many mails containing the w32.swen.A. It's strange, as this mail contains a file xxxx.exe attached. Is there a way to modify the postfix conffiguration to stop these (and may be similar mails in the future) mails? Seems that this type of attachment bypasses somehow this filtre. I have checked the message, and did not find a difference with otrher types of attachments.
Use the following "body_checks" postfix filters to perform filtering based on the real message body: /^begin\s+\d{3}\s+.+?\.(bat|chm|cmd|cnm|com|exe|hta|jse?|lnk|pif|reg|scr|shb|shs|vb[esx]|vdx|ws[fh])\n?$/ REJECT /^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.(bat|chm|cmd|cnm|com|exe|hta|jse?|lnk|pif|reg|scr|shb|shs|vb[esx]|vdx|ws[fh])"?\n?$/ REJECT /^\s+(file)?name="?.+?\.(bat|chm|cmd|cnm|com|exe|hta|jse?|lnk|pif|reg|scr|shb|shs|vb[esx]|vdx|ws[fh])"?\n?$/ REJECT This will stop nearly Windows-work-virus-carrying dangerous payload.