Hot to ban "::whitespace::{4,}.(com|exe)" in archives?

Ralf Hildebrandt Ralf.Hildebrandt at charite.de
Mon Jun 17 13:23:33 CEST 2013


* Ralf Hildebrandt <Ralf.Hildebrandt at charite.de>:

>   # block certain double extensions anywhere in the base name
>   qr'\.[^./]{3}\.(exe|vbs|pif|scr|bat|cmd|com|dll)\.?$'i,
> 
>   qr'^message/partial$'i,
>  
>   [ qr'^\.(Z|gz|bz2)$'           => 0 ],  # allow any type in Unix-compressed
>   [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any type in Unix archives
>   [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any type within such archives
> 
>   qr'.\.(386|bat|chm|cpl|cmd|com|do|exe|hta|jse|lnk|msi|ole|pif|reg|rm|scr|shb|shm|sys|vbe|vbs|vxd|xl|xsl)$'i,
>   # banned extension - CHARITE

Meanwhile I took the current default rules and adapted them a bit.

"[ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ]" would of course ALLOW what I
want to be blocked...

Now I'm using:

  qr'^\.(exe|lha|cab|dll)$',              # banned file(1) types
  
### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
  [ qr'^\.(gz|bz2)$'             => 0 ],  # allow any in gzip or bzip2
  [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives
  qr'.\.(pif|scr)$'i,                     # banned extensions - rudimentary

### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES:
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within these archives
  qr'^application/x-msdownload$'i,        # block these MIME types
  qr'^application/x-msdos-program$'i,
  qr'^application/hta$'i,
  
  qr'^message/partial$'i,         # rfc2046 MIME type


# block certain double extensions in filenames
  qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,

# banned extension - CHARITE
  qr'.\.(386|bat|chm|cpl|cmd|com|do|exe|hta|jse|lnk|msi|ole|pif|reg|rm|scr|shb|shm|sys|vbe|vbs|vxd|xl|xsl)$'i,

But I still don't see how to block "::whitespace::{4,}.(com|exe)" EVEN
WHEN in a (zip)archive

-- 
Ralf Hildebrandt                   Charite Universitätsmedizin Berlin
ralf.hildebrandt at charite.de        Campus Benjamin Franklin
http://www.charite.de              Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155


More information about the amavis-users mailing list