META: Filtering viruses/worms
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
X-Virus-Scanned: by amavisd-new at postgresql.org
Since "amavisd" does not appear to be catching the latest worm,
how about filtering on size? Anything, say, over 20K will be held
for approval. Here are the top posts by size to this list recently:
subject | whofrom | size
- -----------------------------------------------------------+--------------------------------------------------+-------
[GENERAL] Select for update, locks and transaction levels | "Nick Barr" <nick.barr@webbased.co.uk> | 35107
[GENERAL] stacy | scrappy@postgresql.org | 32648
[GENERAL] My photoalbum | scrappy@postgresql.org | 32600
[GENERAL] stacy | scrappy@PostgreSQL.org | 32467
[GENERAL] Weah, hello! :-) | scrappy@postgresql.org | 29462
[GENERAL] Weeeeee! ;))) | scrappy@postgresql.org | 29460
[GENERAL] Hey, ya! =)) | scrappy@PostgreSQL.org | 29428
[GENERAL] :) | scrappy@postgreSQL.org | 29305
[GENERAL] Hokki =) | scrappy@postgresql.org | 28738
[GENERAL] :) | scrappy@PostgreSQL.org | 28667
[GENERAL] help using arrays in a function | "Jennifer Lee" <jlee@scri.sari.ac.uk> | 22774
Note that the first one is not a worm but 4k of message content with about 30k
of unnecessary HTML markup. Filtering such stuff would be alright with me too. :)
- --
Greg Sabino Mullane greg@turnstep.com
PGP Key: 0x14964AC8 200403040640
-----BEGIN PGP SIGNATURE-----
iD8DBQFARxYmvJuQZxSWSsgRAvn2AJ47YY4gZKaISddB0i3/Ew8bZdPcygCfQOnB
1eknd99Tjp3j5+vwfpJ5NCk=
=coS2
-----END PGP SIGNATURE-----
Import Notes
Reply to msg id not found: prhywyxxbhlejwajjsu@PostgreSQL.org
On Thu, 4 Mar 2004, Greg Sabino Mullane wrote:
------------------------------------------------------------------------------
/usr/local/libexec/ppf_verify: pgp command failedgpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Thu Mar 4 07:42:30 2004 AST using DSA key ID 14964AC8
gpg: Can't check signature: public key not found
-----------------------------------------------------------------------------------BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1X-Virus-Scanned: by amavisd-new at postgresql.org
Since "amavisd" does not appear to be catching the latest worm,
how about filtering on size? Anything, say, over 20K will be held
for approval. Here are the top posts by size to this list recently:
The problem is, where do we stop? Tom pop'd me off a note about it
yesterday, and we drop'd it from 40k to 30k ... :(
----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email: scrappy@hub.org Yahoo!: yscrappy ICQ: 7615664
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1X-Virus-Scanned: by amavisd-new at postgresql.org
Since "amavisd" does not appear to be catching the latest worm, how
about filtering on size? Anything, say, over 20K will be held for
approval. Here are the top posts by size to this list recently:The problem is, where do we stop? Tom pop'd me off a note
about it yesterday, and we drop'd it from 40k to 30k ... :(
A quick stop-gap is to block all ZIPs. We don't usually see a lot of ZIP
attachments on these lists, IIRC.
If I'm not mistaken, you run postfix on the server for the lists. The
something along:
/etc/postfix/main.cf:
mime_header_checks = pcre:/etc/postfix/mime_header_checks
/etc/postfix/mime_header_checks:
/name=[^>]*\.(zip|exe|com|vbs)/ REJECT Potentially dangerous file
attachment.
Remove initial spaces, of course. And add/remove any other extensions
you need.
//Magnus
Import Notes
Resolved by subject fallback
perfect, thanks ... added ...
On Thu, 4 Mar 2004, Magnus Hagander wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1X-Virus-Scanned: by amavisd-new at postgresql.org
Since "amavisd" does not appear to be catching the latest worm, how
about filtering on size? Anything, say, over 20K will be held for
approval. Here are the top posts by size to this list recently:The problem is, where do we stop? Tom pop'd me off a note
about it yesterday, and we drop'd it from 40k to 30k ... :(A quick stop-gap is to block all ZIPs. We don't usually see a lot of ZIP
attachments on these lists, IIRC.If I'm not mistaken, you run postfix on the server for the lists. The
something along:
/etc/postfix/main.cf:
mime_header_checks = pcre:/etc/postfix/mime_header_checks/etc/postfix/mime_header_checks:
/name=[^>]*\.(zip|exe|com|vbs)/ REJECT Potentially dangerous file
attachment.Remove initial spaces, of course. And add/remove any other extensions
you need.//Magnus
----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email: scrappy@hub.org Yahoo!: yscrappy ICQ: 7615664