Bugtraq mailing list archives
Re: Ruh-Roh SOBIG.G?
From: Liviu Daia <Liviu.Daia () imar ro>
Date: Thu, 25 Sep 2003 22:03:26 +0300
On 25 September 2003, Dragos Ruiu <dr () kyx net> wrote: [...]
SOBIG Filter instructions for Postfix --------------------------------------- (compile with pcre - this is in the OpenBSD Ports tree already) 1) Add this to main.cf: mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp 2) Then put this in /etc/postfix/mime_header_checks.regexp: /filename=\"?(.*)\.(bat|chm|cmd|com|do|exe|hta|jse|rm|scr|pif|vbe|vbs|vxd|xl)\"?$/ REJECT For security reasons we reject attachments of this type
[...] Your recipe uses a regexp map, not a pcre one, it's very slow (especially on OpenBSD), and incomplete. Here's a better one: (1) Make sure you have Postfix 2.0.x, compiled with support for PCRE. Run this to find out: postconf -d mail_version postconf -m | grep pcre (2) Add this to main.cf: mime_header_checks = pcre:/etc/postfix/mime_header_checks.pcre (3) Put this in /etc/postfix/mime_header_checks.pcre (the last pattern is supposed to catch CLSID extensions): /^Content-(?:Disposition:\s+attachment;|Type:).*\b(?:file)?name\s*=.*\.(?: ad[ep] | asd | ba[st] | chm | cmd | com(?=$|") | cpl | crt | dll | eml | exe | hlp | hta | in[fs] | isp | jse? | lnk | md[betw] | ms[cipt] | nws | ocx | ops | pcd | p[ir]f | reg | sc[frt] | sh[bsm] | swf | url | vb[esx]? | vxd | ws[cfh] | \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\} )\b/x REJECT Windows executables not allowed (4) Add more extensions you feel you should block; (5) Run: postfix reload Change REJECT above to DISCARD at attack peak times, to save other machines the trouble of bouncing your rejects. Of course, collateral damages of the discards are to be expected too. Regards, Liviu Daia -- Dr. Liviu Daia e-mail: Liviu.Daia () imar ro Institute of Mathematics web page: http://www.imar.ro/~daia of the Romanian Academy PGP key: http://www.imar.ro/~daia/daia.asc
Current thread:
- Ruh-Roh SOBIG.G? Dragos Ruiu (Sep 25)
- Re: Ruh-Roh SOBIG.G? Liviu Daia (Sep 25)
- SV: Ruh-Roh SOBIG.G? Peter Kruse (Sep 25)
- RE: Ruh-Roh SOBIG.G? Larry Seltzer (Sep 26)
- SV: Ruh-Roh SOBIG.G? Peter Kruse (Sep 25)
- Message not available
- Re: Ruh-Roh SOBIG.G? Dragos Ruiu (Sep 25)
- Re: Ruh-Roh SOBIG.G? Liviu Daia (Sep 25)
- Re: Ruh-Roh SOBIG.G? Valdis . Kletnieks (Sep 26)
- <Possible follow-ups>
- Re: Ruh-Roh SOBIG.G? Joe Stewart (Sep 25)
- RE: Ruh-Roh SOBIG.G? James C. Slora, Jr. (Sep 26)