dropping based on attachment code signatures
Alex Neuman van der Hans
alex at nkpanama.com
Thu Feb 23 03:07:40 GMT 2006
Glad to help.
Michael Masse wrote:
> That works perfectly. Thanks for the tip. I just didn't know what to search for is all.
>
> Mike
>
>
>
>>>> alex at nkpanama.com 2/22/2006 4:14:52 PM >>>
>>>>
> Have you tried using the "file" command and editing the "magic" file,
> then adding a rule to filetype.rules?
>
> Michael Masse wrote:
>
>>
>>
>>>>> MailScanner at ecs.soton.ac.uk 2/22/2006 10:29:04 AM >>>
>>>>>
>>>>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>>
>> Please define "code signature".
>>
>>
>>
>> Sorry I wasn't clear. If an attachment has a specified code segment I'd like to be able to not deliver the email. For example, .wmf files can easily be renamed to .jpg, yet if you double click on them they run as wmf files. MS has issued a patch for this, but before they did it was nice to have a filter in place to strip these attachments out. The procmail filter I used to do this used the od program to check the first 4 bytes of every attachment for the string 9ac6cdd7 and if found it's a wmf file and therefore the email is not delivered. I was just wondering if it's possible to do similar operations in MS not so much for current exploits, but future ones if needed, primarily due to lag time between when an exploit is exposed to the wild and the time it takes for patches and anti-virus vendors to recognize the exploit.
>>
>> Mike
>>
>>
>>
>>
>
>
--
Alex Neuman van der Hans
N&K Technology Consultants
Tel. +507 214-9002 - http://nkpanama.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060222/091db008/attachment.html
More information about the MailScanner
mailing list