[plug] stripping potentially nasty attachments

Bernard Blackham bernard at blackham.com.au
Sat Mar 27 01:03:33 WST 2004


On Sat, Mar 27, 2004 at 12:13:53AM +0800, Craig Ringer wrote:
> Cute, but sadly bypassed by the latest viri - they send the password as
> an image.

I haven't seen those yet. The only identifying feature of Bagle that
we found, was the message ID was consistently a string of 19
lowercase letters, which seemed to be a pretty rare occurrence (in
combination with an encrypted zip file) for *any* other mail.

I'm not sure what distinguishing features the latest virii have
though (I've yet to receive one with the password in an image).

> That's actually one other thing I'm looking to do on our server: if a
> message contains a zip file the server couldn't decrypt and scan,
> quarantine the entire message. If it's legit, the user can ask for it,
> and I'll let them decrypt it in a sandbox then scan it.

That works too :)

Bernard.

-- 
 Bernard Blackham <bernard at blackham dot com dot au>



More information about the plug mailing list