Full Disclosure mailing list archives
RE: Re: Filtering sobig with postfix
From: "Bojan Zdrnja" <Bojan.Zdrnja () LSS hr>
Date: Thu, 21 Aug 2003 15:51:33 +1200
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of martin f krafft Sent: Wednesday, 20 August 2003 10:43 p.m. To: full-disclosure () lists netsys com Subject: [Full-disclosure] Re: Filtering sobig with postfix also sprach vogt () hansenet com <vogt () hansenet com> [2003.08.20.1017 +0200]:in main.cf, enable "body_checks = (filename)". In that (filename) file, write a regular expression matching sobig, e.g. something like /see attached file for details/ REJECTthis incurs a factor 2-4 performance drop, and it could also elicit false positives. you should definitely do more than just REJECT (i.e. write out a message: s/REJECT/554 Suspected virus/).
Yep, as the OP is using postfix, he could use the header_checks directive, which can identify MIME headers, so he can easily stop this worm. Just check for Content-Disposition header and block everything with .pif in filename. Regards, Bojan Zdrnja _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Filtering sobig with postfix vogt (Aug 20)
- Re: Filtering sobig with postfix martin f krafft (Aug 20)
- RE: Re: Filtering sobig with postfix Bojan Zdrnja (Aug 20)
- Re: Filtering sobig with postfix Valdis . Kletnieks (Aug 20)
- <Possible follow-ups>
- RE: Re: Filtering sobig with postfix Joshua Thomas (Aug 20)
- Re: Re: Filtering sobig with postfix securdz (Aug 21)
- RE: Re: Filtering sobig with postfix Bojan Zdrnja (Aug 21)
- RE: Re: Filtering sobig with postfix Joshua Thomas (Aug 21)
- RE: Re: Filtering sobig with postfix Paul Szabo (Aug 21)
- Re: Filtering sobig with postfix martin f krafft (Aug 20)