dropping based on attachment code signatures

Alex Neuman van der Hans alex at nkpanama.com
Wed Feb 22 22:14:52 GMT 2006


Have you tried using the "file" command and editing the "magic" file, 
then adding a rule to filetype.rules?

Michael Masse wrote:
>   
>>>> MailScanner at ecs.soton.ac.uk 2/22/2006 10:29:04 AM >>>
>>>>         
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Please define "code signature".
>
>   
>
> Sorry I wasn't clear.    If an attachment has a specified code segment I'd like to be able to not deliver the email.    For example, .wmf files can easily be renamed to .jpg, yet if you double click on them they run as wmf files.   MS has issued a patch for this, but before they did it was nice to have a filter in place to strip these attachments out.     The procmail filter I used to do this used the od program to check the first 4 bytes of every attachment for the string 9ac6cdd7 and if found it's a wmf file and therefore the email is not delivered.    I was just wondering if it's possible to do similar operations in MS not so much for current exploits, but future ones if needed, primarily due to lag time between when an exploit is exposed to the wild and the time it takes for patches and anti-virus vendors to recognize the exploit.   
>
> Mike
>
>
>   

-- 

Alex Neuman van der Hans
N&K Technology Consultants
Tel. +507 214-9002 - http://nkpanama.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060222/fe08f446/attachment.html


More information about the MailScanner mailing list