Subject: Re: recommendations for virus/worm scanning software?
To: Michael Wolfson <>
From: Greg A. Woods <>
List: tech-pkg
Date: 09/20/2003 13:11:28
[ On Saturday, September 20, 2003 at 01:34:55 (-0700), Michael Wolfson wrote: ]
> Subject: recommendations for virus/worm scanning software?
> I've been slammed with a ton of worms the past two days.  What do y'all 
> recommend I use from pkgsrc to block them (using postfix)?

If I'm not too confused over all the various Postfix version versions I
think you can use the following regex with the most recent version
available in pkgsrc, in a content filter, to block almost any possible
executable worm or virus (but not macro/VB worms -- you need to block
all attachments to do that; this RE apparently just meatches a
MIME/BASE64 encoded W32 ELF header):


This one is a little less agressive than blocking all attachments, but
does a reasonable job of blocking files that are _labeled_ as executable
(W32 apparently doesn't care what the filename extension is any more):
(watch out with cut&paste -- there are tabs in there!)

	^[	 ]*content-(disposition|type).*name[	 ]*=[	 ]*"?(.*\.(386|acm|ade|adp|app|asp|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt|csh|dll|dlo|doc|dot|drv|exe|flt|fot|hlp|hta|ini|inf|ins|isp|js|jse|lnk|mdb|mde|mod|msc|msi|msp|mst|nws|obj|ocx|olb|osd|ovl|pcd|pdr|pgm|pif|pkg|pot|ppt|pps|prg|reg|rpl|rtf|scr|script|sct|sh|sha|shtml|shs|swf|sys|tlb|tsp|ttf|vb|vlm|vxd|vxo|wiz|wll|wwk|pdr|url|vb|vbe|vbs|wsc|wsf|wsh|xla|xlb|xlc|xld|xlk|xll|xlm|xls|xlt|xlv|xlw|xnk))"?[	 ]*$

Also:  don't run M$ Windoze.  (no smiley -- I'm very serious.)

						Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <>
Planix, Inc. <>          Secrets of the Weird <>