Full Disclosure mailing list archives
Re: Re: Filtering sobig with postfix
From: Craig Pratt <craig () strong-box net>
Date: Wed, 20 Aug 2003 22:52:03 -0700
On Wednesday, Aug 20, 2003, at 20:51 US/Pacific, Bojan Zdrnja wrote:
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of martin f krafft Sent: Wednesday, 20 August 2003 10:43 p.m. To: full-disclosure () lists netsys com Subject: [Full-disclosure] Re: Filtering sobig with postfix also sprach vogt () hansenet com <vogt () hansenet com> [2003.08.20.1017 +0200]:in main.cf, enable "body_checks = (filename)". In that (filename) file, write a regular expression matching sobig, e.g. something like /see attached file for details/ REJECTthis incurs a factor 2-4 performance drop, and it could also elicit false positives. you should definitely do more than just REJECT (i.e. write out a message: s/REJECT/554 Suspected virus/).Yep, as the OP is using postfix, he could use the header_checks directive,which can identify MIME headers, so he can easily stop this worm.Just check for Content-Disposition header and block everything with .pif infilename. Regards, Bojan Zdrnja
You'd better check for a lot more than just .pif files. .scr and .exe files are critical as well.
And filtering on this stuff is problematic - since there are lots of ways to play with MIME headers - such as escaping characters and playing with the type fields. Check out Nessus's e-mail tests for some examples of the ways to subvert the kind of checks described here. You'd better be ready to write a few thousand REs.
If you want to really filter stuff, look at something like MailScanner (http://www.mailscanner.info) which has file-type/mime-type checking as just the first line of defense. The power and configurability of this system is amazing. It works with postfix and sendmail, and lots of virus scanners - if you choose to integrate one.
There's definitely a performance cost. But it's very smart about how it works - batching scans into a single job. Even if you scan during the SMTP exchange, there's going to be a cost. Such is life.
Craig --- Craig Pratt Strongbox Network Services Inc. mailto:craigATstrong-box.net -- This message checked for dangerous content by MailScanner on StrongBox. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: Filtering sobig with postfix Craig Pratt (Sep 10)