Largely "stolen" from one I'd read on the 'net somewhere, but this works well and has blocked tons of virii:
/^(Content-(Type|Disposition):.*|[[:space:]]*(file)?)name=("[^"]*|[^[:space:]]*)\.(exe|s(ys|cr|hm)|pif|bat|lnk|vb[es]|jse?|hta|cmd|vxd)[[:>:]]/ REJECT This message appears to contain an executable attachment which may be a virus or trojan. Please remove it and re-send. Use it in your header_checks. Note that I do not include "*.com" attachments in the list, because Netscape for a time had the annoying feature of allowing someone to forward a web page and it would name the attachment after the url. So if someone sent you the "yahoo.com" web page.. bam, this got triggered. So ideally you want to have some other mechanisms (virus scanners, smart users, etc.) in place as well. HTH. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk