[bf1942] OT Protection

g8 at the.whole.net g8 at the.whole.net
Wed Feb 4 13:26:49 EST 2004

Sure, it doesn't catch some of the newer random names (I added a few
manually) but gets the majority of the obvious ones (it has some other
names in there too left over from sobig):

/^Content-(Disposition|Type):\s+.*?(file)?name="?.*?(your_details|application|document|screensaver|movie|body|data|doc|file|jedppfi|message|pax|qiqzw|readme|smbxaqt|test|text|xou)\.zip/        REJECT


On Wed, 4 Feb 2004, James Gurney wrote:

> g8 at the.whole.net wrote:
> > alternate MTAs such as Postfix, qmail, or exim.  I personally use Postfix
> > (aka IBM Secure Mailer) and a one line regex blocked the virii before
> > they even got to the DATA stage (thus saving bandwidth at the server).
> Care to share that regex? I looked into this for my postfix servers, but
> the only header/body checks I could find would essentially block all zip
> files, which I thought was too extreme..
> James

More information about the Bf1942 mailing list