dropping based on attachment code signatures
Michael Masse
mrm at medicine.wisc.edu
Wed Feb 22 22:04:10 GMT 2006
>>> MailScanner at ecs.soton.ac.uk 2/22/2006 10:29:04 AM >>>
-----BEGIN PGP SIGNED MESSAGE-----
Please define "code signature".
>>>>>
Sorry I wasn't clear. If an attachment has a specified code segment I'd like to be able to not deliver the email. For example, .wmf files can easily be renamed to .jpg, yet if you double click on them they run as wmf files. MS has issued a patch for this, but before they did it was nice to have a filter in place to strip these attachments out. The procmail filter I used to do this used the od program to check the first 4 bytes of every attachment for the string 9ac6cdd7 and if found it's a wmf file and therefore the email is not delivered. I was just wondering if it's possible to do similar operations in MS not so much for current exploits, but future ones if needed, primarily due to lag time between when an exploit is exposed to the wild and the time it takes for patches and anti-virus vendors to recognize the exploit.
Mike
More information about the MailScanner
mailing list