[ On Saturday, September 20, 2003 at 01:34:55 (-0700), Michael Wolfson wrote: ]
> Subject: recommendations for virus/worm scanning software?
>
> I've been slammed with a ton of worms the past two days.  What do y'all 
> recommend I use from pkgsrc to block them (using postfix)?

If I'm not too confused over all the various Postfix version versions I
think you can use the following regex with the most recent version
available in pkgsrc, in a content filter, to block almost any possible
executable worm or virus (but not macro/VB worms -- you need to block
all attachments to do that; this RE apparently just meatches a
MIME/BASE64 encoded W32 ELF header):

	^TV[nopqr][A-Z]...[AB]..A.A....*AAAA...*AAAA

This one is a little less agressive than blocking all attachments, but
does a reasonable job of blocking files that are _labeled_ as executable
(W32 apparently doesn't care what the filename extension is any more):
(watch out with cut&paste -- there are tabs in there!)

	^[	 ]*content-(disposition|type).*name[	 ]*=[	 ]*"?(.*\.(386|acm|ade|adp|app|asp|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt|csh|dll|dlo|doc|dot|drv|exe|flt|fot|hlp|hta|ini|inf|ins|isp|js|jse|lnk|mdb|mde|mod|msc|msi|msp|mst|nws|obj|ocx|olb|osd|ovl|pcd|pdr|pgm|pif|pkg|pot|ppt|pps|prg|reg|rpl|rtf|scr|script|sct|sh|sha|shtml|shs|swf|sys|tlb|tsp|ttf|vb|vlm|vxd|vxo|wiz|wll|wwk|pdr|url|vb|vbe|vbs|wsc|wsf|wsh|xla|xlb|xlc|xld|xlk|xll|xlm|xls|xlt|xlv|xlw|xnk))"?[	 ]*$


Also:  don't run M$ Windoze.  (no smiley -- I'm very serious.)

-- 
						Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>          Secrets of the Weird <woods@weird.com>