I received a request for the list of disallowed file
extensions we use so I am posting it here:
386|acm|avb|bin|cla|class|cnv|dll|drv|ade|adp|app|ask|asp|bas|bat|\
cer|chm|cmd|com|cpl|crt|csh|exe|fxp|hlp|hta|inf|ins|isp|its|js|\
jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mda|mdb|\
mde|mdt|mdw|mdz|msc|msi|msp|mst|ops|pcd|pif|prf|prg|pst|reg|scf|\
scr|sct|shb|shs|tmp|url|vb|vbe|vbs|vss|vst|vsw|ws|wsc|wsf|wsh|\
cnf|xnk|mhtml
Most of these are disallowed in Outlook/Outlook Express
anyway and many of the others would be foolish to send
(e.g., drv or 386) without compressing and checksumming
them.
There is one other we use (ClassID): \.\{[-a-hA-H0-9]+\}
(I believe the follow is correct and better specified but
have not fully tested it: \.\{[-a-hA-H0-9]{25,}\}
Class ID (GUID) extensions, enclosed in {} braces, are
executable on Windows systems if the Class is (correctly)
defined in the registry.
As to using the 25 length specifier it really doesn't
matter to me, since if someone uses a "short GUID" they
probably are up to no good as well.
--
Herb Martin
> -----Original Message-----
> From: Maurice Lucas [mailto:[EMAIL PROTECTED]
> Sent: Friday, August 19, 2005 7:43 AM
> To: 'Herb Martin'
> Subject: RE: Trojan infected FN
>
> Hello,
>
> Could you please post the list to the mailinglist or me personally
>
> With kind regards,
> Met vriendelijke groet,
>
> Maurice Lucas
> TAOS-IT
>
>
>
> > -----Original Message-----
> > From: Herb Martin [mailto:[EMAIL PROTECTED]
> > Sent: vrijdag 19 augustus 2005 13:17
> > To: [EMAIL PROTECTED]
> > Subject: RE: Trojan infected FN
> >
> > > -----Original Message-----
> > > From: Chris [mailto:[EMAIL PROTECTED]
> > >
> > > On Thursday 18 August 2005 11:46 pm, Matt Kettler wrote:
> > > > At 11:20 PM 8/18/2005, you wrote:
> > > > >Got three of these tonight with the same trojan, SA
> detected the
> > > > >other two as spam, this one slipped through just a bit
> > > under the wire.
> > > >
> > > > Spamassassin doesn't try to detect viruses. That's what
> > > virus scanners
> > > > are best at.
> > >
> > > Realize that Matt, though usually there is enough of a spam
> > signature
> > > for SA to tag the actual message as spam, in this one case
> > there just
> > > wasn't enough.
> > > Although this is a standalone box with no windows on it at
> > all, guess
> > > I could set one up anyway.
> >
> > Put ClamAV (or another quality anti-virus) ahead of SpamAssassin or
> > try using the ClamAV plug-in with SA.
> >
> > Some virus will even be larger than you would want to check
> with SA so
> > using ClamAV separately usually makes the most sense.
> >
> > If your users are Outlook/Outlook Express users they will not have
> > access to most exectuable extensions anyway so it can make sense to
> > just block anything with those (exe, pif, com
> > etc.) files.
> >
> > (I have a long list prep'ed for a regex or for Exim if
> anyone wants it
> > posted again.)
> >
> > --
> > Herb Martin
> >
> >
>
