Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #
- # NOTE: Fields are separated by TAB characters --- Important!
- #
- # Syntax is allow/deny/deny+delete/rename/rename to replacement-text/email-addresses,
- # then regular expression,
- # then log text,
- # then user report text.
- #
- # The "email-addresses" can be a space or comma-separated list of email
- # addresses. If the rule hits, the message will be sent to these address(es)
- # instead of the original recipients.
- # If a rule is a "rename" rule, then the attachment filename will be renamed
- # according to the "Default Rename Pattern" setting in MailScanner.conf.
- # If a rule is a "rename" rule and the "to replacement-text" is supplied, then
- # the text matched by the regular expression in the 2nd field of the line
- # will be replaced with the "replacement-text" string.
- # For example, the rule
- # rename to .ppt \.pps$ Renamed .pps to .ppt Renamed .pps to .ppt
- # will find all filenames ending in ".pps" and rename them so they end in
- # ".ppt" instead.
- # Due to a bug in Outlook Express, you can make the 2nd from last extension
- # be what is used to run the file. So very long filenames must be denied,
- # regardless of the final extension.
- #deny .{150,} Very long filename, possible OE attack Very long filenames are good signs of attacks against Microsoft e-mail packages
- # JKF 10/08/2007 Adobe Acrobat nastiness
- rename \.fdf$ Dangerous Adobe Acrobat data-file Opening this file can cause auto-loading of any file from the internet
- # JKF 04/01/2005 More Microsoft security vulnerabilities
- deny \.ico$ Windows icon file security vulnerability Possible buffer overflow in Windows
- deny \.ani$ Windows animated cursor file security vulnerability Possible buffer overflow in Windows
- deny \.cur$ Windows cursor file security vulnerability Possible buffer overflow in Windows
- #deny \.hlp$ Windows help file security vulnerability Possible buffer overflow in Windows
- # These 4 are well known viruses.
- deny pretty\s+park\.exe$ "Pretty Park" virus "Pretty Park" virus
- deny happy99\.exe$ "Happy" virus "Happy" virus
- deny \.ceo$ WinEvar virus attachment Often used by the WinEvar virus
- deny webpage\.rar$ I-Worm.Yanker virus attachment Often used by the I-Worm.Yanker virus
- # JKF 08/07/2005 Several virus scanners may miss this one
- deny \.cab$ Possible malicious Microsoft cabinet file Cabinet files may hide viruses
- # These are in the archives which are Microsoft Office 2007 files (e.g. docx)
- allow \.shp\.xml$ - -
- allow \.xml\d*\.rel$ - -
- allow \.x\d+\.rel$ - -
- allow \.rtf$ - -
- allow \.dbf$ - -
- # These are known to be mostly harmless.
- allow \.jpg$ - -
- allow \.gif$ - -
- # .url is arguably dangerous, but I can't just ban it...
- allow \.url$ - -
- allow \.vcf$ - -
- allow \.txt$ - -
- allow \.zip$ - -
- allow \.t?gz$ - -
- allow \.bz2$ - -
- allow \.Z$ - -
- allow \.rpm$ - -
- # PGP and GPG
- allow \.gpg$ - -
- allow \.pgp$ - -
- allow \.sig$ - -
- allow \.asc$ - -
- # Macintosh archives
- allow \.hqx$ - -
- allow \.sit.bin$ - -
- allow \.sea$ - -
- # Backup files
- allow \.bak$ - -
- # And TeX and LaTeX are harmless AFAIK
- allow \.tex$ - -
- # These are known to be dangerous in almost all cases.
- deny \.reg$ Possible Windows registry attack Windows registry entries are very dangerous in email
- deny \.chm$ Possible compiled Help file-based virus Compiled help files are very dangerous in email
- # See http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm for more info.
- deny \.cnf$ Possible SpeedDial attack SpeedDials are very dangerous in email
- deny \.hta$ Possible Microsoft HTML archive attack HTML archives are very dangerous in email
- deny \.ins$ Possible Microsoft Internet Comm. Settings attack Windows Internet Settings are dangerous in email
- deny \.jse?$ Possible Microsoft JScript attack JScript Scripts are dangerous in email
- deny \.job$ Possible Microsoft Task Scheduler attack Task Scheduler requests are dangerous in email
- deny \.lnk$ Possible Eudora *.lnk security hole attack Eudora *.lnk security hole attack
- # Removed ".mat" from next line as widely used by Matlab
- deny \.ma[dfgmqrsvw]$ Possible Microsoft Access Shortcut attack Microsoft Access Shortcuts are dangerous in email
- deny \.pif$ Possible MS-Dos program shortcut attack Shortcuts to MS-Dos programs are very dangerous in email
- deny \.scf$ Possible Windows Explorer Command attack Windows Explorer Commands are dangerous in email
- deny \.sct$ Possible Microsoft Windows Script Component attack Windows Script Components are dangerous in email
- deny \.shb$ Possible document shortcut attack Shortcuts Into Documents are very dangerous in email
- deny \.shs$ Possible Shell Scrap Object attack Shell Scrap Objects are very dangerous in email
- deny \.vb[es]$ Possible Microsoft Visual Basic script attack Visual Basic Scripts are dangerous in email
- deny \.ws[cfh]$ Possible Microsoft Windows Script Host attack Windows Script Host files are dangerous in email
- deny \.xnk$ Possible Microsoft Exchange Shortcut attack Microsoft Exchange Shortcuts are dangerous in email
- # These are new dangerous attachment types according to Microsoft in
- # http://support.microsoft.com/?kbid=883260
- #deny \.cer$ Dangerous Security Certificate (according to Microsoft) Dangerous attachment according to Microsoft Q883260
- deny \.its$ Dangerous Internet Document Set (according to Microsoft) Dangerous attachment according to Microsoft Q883260
- deny \.mau$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260
- deny \.md[az]$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260
- deny \.prf$ Dangerous Outlook Profile Settings (according to Microsoft) Dangerous attachment according to Microsoft Q883260
- deny \.pst$ Dangerous Office Data File (according to Microsoft) Dangerous attachment according to Microsoft Q883260
- #deny \.tmp$ Dangerous Temporary File (according to Microsoft) Dangerous attachment according to Microsoft Q883260
- deny \.vsmacros$ Dangerous Visual Studio Macros (according to Microsoft) Dangerous attachment according to Microsoft Q883260
- deny \.vs[stw]$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260
- deny \.ws$ Dangerous Windows Script (according to Microsoft) Dangerous attachment according to Microsoft Q883260
- # These 2 added by popular demand - Very often used by viruses
- deny \.com$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
- deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
- # These are very dangerous and have been used to hide viruses
- deny \.scr$ Possible virus hidden in a screensaver Windows Screensavers are often used to hide viruses
- deny \.bat$ Possible malicious batch file script Batch files are often malicious
- deny \.cmd$ Possible malicious batch file script Batch files are often malicious
- deny \.cpl$ Possible malicious control panel item Control panel items are often used to hide viruses
- deny \.mhtml$ Possible Eudora meta-refresh attack MHTML files can be used in an attack against Eudora
- # Deny filenames containing CLSID's
- #deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type Files containing CLSID's are trying to hide their real type
- # Deny filenames with lots of contiguous white space in them.
- #deny \s{10,} Filename contains lots of white space A long gap in a name is often used to hide part of it
- # Allow repeated file extension, e.g. blah.zip.zip
- allow (\.[a-z0-9]{3})\1$ - -
- # Allow days of the week and months in doc names, e.g. blah.wed.doc
- allow \.(mon|tue|wed|thu|fri|sat|sun)\.[a-z0-9]{3}$ - -
- allow \.(jan|feb|mar|apr|may|jun|june|jul|july|aug|sep|sept|oct|nov|dec)\.[a-z0-9]{3}$ - -
- # Deny all other double file extensions. This catches any hidden filenames.
- #deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3,4}$ Found possible filename hiding Attempt to hide real filename extension
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
