Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Filtering sobig with postfix

From: Craig Pratt <craig () strong-box net>
Date: Wed, 20 Aug 2003 22:52:03 -0700

On Wednesday, Aug 20, 2003, at 20:51 US/Pacific, Bojan Zdrnja wrote:



-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of
martin f krafft
Sent: Wednesday, 20 August 2003 10:43 p.m.
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Re: Filtering sobig with postfix


also sprach vogt () hansenet com <vogt () hansenet com>
[2003.08.20.1017 +0200]:

in main.cf, enable "body_checks = (filename)". In that (filename)
file, write a regular expression matching sobig, e.g. something
like

/see attached file for details/ REJECT


this incurs a factor 2-4 performance drop, and it could also elicit
false positives. you should definitely do more than just REJECT
(i.e. write out a message: s/REJECT/554 Suspected virus/).
Yep, as the OP is using postfix, he could use the header_checks directive, 
which can identify MIME headers, so he can easily stop this worm.
Just check for Content-Disposition header and block everything with .pif in 
filename.

Regards,

Bojan Zdrnja
You'd better check for a lot more than just .pif files. .scr and .exe files are critical as well.
And filtering on this stuff is problematic - since there are lots of ways to play with MIME headers - such as escaping characters and playing with the type fields. Check out Nessus's e-mail tests for some examples of the ways to subvert the kind of checks described here. You'd better be ready to write a few thousand REs.
If you want to really filter stuff, look at something like MailScanner (http://www.mailscanner.info) which has file-type/mime-type checking as just the first line of defense. The power and configurability of this system is amazing. It works with postfix and sendmail, and lots of virus scanners - if you choose to integrate one.
There's definitely a performance cost. But it's very smart about how it works - batching scans into a single job. Even if you scan during the SMTP exchange, there's going to be a cost. Such is life. 

Craig

---
Craig Pratt
Strongbox Network Services Inc.
mailto:craigATstrong-box.net


--
This message checked for dangerous content by MailScanner on StrongBox.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: