<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Have you tried using the "file" command and editing the "magic" file,
then adding a rule to filetype.rules?<br>
<br>
Michael Masse wrote:
<blockquote cite="mids3fc8b87.094@gw.medicine.wisc.edu" type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap=""><a class="moz-txt-link-abbreviated" href="mailto:MailScanner@ecs.soton.ac.uk">MailScanner@ecs.soton.ac.uk</a> 2/22/2006 10:29:04 AM >>>
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap=""><!---->-----BEGIN PGP SIGNED MESSAGE-----
Please define "code signature".
</pre>
<pre wrap=""><!---->
Sorry I wasn't clear. If an attachment has a specified code segment I'd like to be able to not deliver the email. For example, .wmf files can easily be renamed to .jpg, yet if you double click on them they run as wmf files. MS has issued a patch for this, but before they did it was nice to have a filter in place to strip these attachments out. The procmail filter I used to do this used the od program to check the first 4 bytes of every attachment for the string 9ac6cdd7 and if found it's a wmf file and therefore the email is not delivered. I was just wondering if it's possible to do similar operations in MS not so much for current exploits, but future ones if needed, primarily due to lag time between when an exploit is exposed to the wild and the time it takes for patches and anti-virus vendors to recognize the exploit.
Mike
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Alex Neuman van der Hans
N&K Technology Consultants
Tel. +507 214-9002 - <a class="moz-txt-link-freetext" href="http://nkpanama.com/">http://nkpanama.com/</a></pre>
</body>
</html>