[Tfug] blocking exe's and com files with postfix

[Choprboy]

On Monday 19 July 2004 15:11, elemint at theriver.com wrote:
> Thanks,
> 
>              I uncommented this one in amavisd.conf
> 
> qr'.\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|
>          jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb|
>          vbe|vbs|wsc|wsf|wsh)$'ix,                
> 
> That seems to block com and exe amongst other file extensions,  I sent a 
> test email with a exe and it did the job, thanks.
> 

You can also do this at the Postfix level if you wish. There are a couple 
different ways to do it, the "best" would be to use the MIME filter... but I 
understand that it doesn;t always parse MIME sections correctly.

I've been using the following as an executable attachment filter with a main 
config of:
body_checks = regexp:/etc/postfix/body_filter


My body_filter file (minus several other explicit virus/spam filters):

## Forbid executable attachments
/filename=\".*\.(bas|bat|chm|com|cmd|cpl|dll|eml|exe|hlp|hta|lnk|pif|pf|reg|scr|sh[mbs]|vb[esx])\"$/ 
REJECT

Note: There are some differences between your list and mine. Many of yours 
I've never seen before (and people do legitamately exchange things like .mde 
databases, etc.) But that's up to individual restrictions.  However, you 
missed a couple very important blocks (in my opinion):

.dll = I added this for a Outlook explolit as I recall
.eml = Major virus transmittion vector (namely Nimda)
.pf = Short name for, sometimes used instead of, .pif
.shm = shell macro, same as .shs, .shb
.vbx = Another VB/virus scripting vector

Adrian