[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] new virus (?)
Here is a list of valid MIME types, if that is what you are looking for... http://www.isi.edu/in-notes/iana/assignments/media-types/media-types FYI: gone.scr is MIME type application/octet-stream >>> [email protected] 12/05/01 01:23PM >>> Where might I look for a list of the file types to block? > -----Original Message----- > From: Colmer, Philip [SMTP:[email protected]] > Sent: Wednesday, December 05, 2001 1:36 AM > To: [email protected] > Subject: Re: [FW-1] new virus (?) > > > We just got hit hard with emails with "Subject: Hi" and an > > attachment named "gone.scr". has anyone else seen this? > > What is the procedure for blocking an email based on the > > subject at the firewall? > > You cannot block based on a subject with the firewall. > > What you can do is create an SMTP Security Server resource and use that to > strip out the attachments, either based on the MIME encoding type > (pre-SP3) > or on the extension type (SP3 and later). > > To do this: > > 1. Create an SMTP resource. If all you are wanting to do is strip bad > attachments, just give it a name and put the IP address of the destination > SMTP server in. You can also use this resource to ensure that incoming > email > matches your email domains - useful for preventing relaying through your > email server. > > 2. Set up a rule that ensures that all email intended for your email > server > goes against the resource. To do this, where it would normally say "SMTP" > as > the service, remove this and add the resource instead. Pick SMTP and then > pick the resource from the list. > > 3. Once you've set up the policy, go to the firewall. Find the objects.C > file. Edit the file and look for the definition of the SMTP resource > you've > just created. Add the following to the end of the definition: > > : (forbiddenfiles > : ("{*.scr}") > ) > > Save the file and re-implement the policy. > > What happens is that any attempt to connect to your email server for the > purposes of SMTP gets intercepted by the firewall. It then strips out any > attachment that has an extension that matches the list above - you can > have > comma-separated types, e.g. ("{*.vbs,*.vbe,*.shs}"). > > We've implemented the above ".scr" list for now, but we'll shortly be > expanding it to include all of the filetypes that Outlook now blocks. > > Implementing this has two benefits: > > 1. It stops the filetypes even hitting the mail server, thus reducing the > amount of work that the anti-virus software has to do. > > 2. It ensures that new viruses get stripped out, regardless of whether or > not the AV software knows about it ... which it didn't for the new > gone.scr > virus. > > Hope that helps. > > --Philip > > -- > Philip Colmer MBCS CEng Tel: 01223 271223 > I.T. Manager Fax: 01223 215513 > ProQuest Information & Learning > The Quorum, Barnwell Road, Cambridge, CB5 8SW > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|