Full Disclosure mailing list archives
RE: Re: Filtering sobig with postfix
From: Joshua Thomas <JThomas () poweronemedia com>
Date: Thu, 21 Aug 2003 00:48:15 -0400
Thank you, Thank you, Thank you. I just set up a box with postfix, and have been trying to figure out how to do this. Joshua Thomas Network Operations Engineer PowerOne Media, Inc. tel: 518-687-6143 jthomas () poweronemedia com -----Original Message----- From: Bojan Zdrnja [mailto:Bojan.Zdrnja () lss hr] Sent: Wednesday, August 20, 2003 11:52 PM To: full-disclosure () lists netsys com Subject: RE: [Full-disclosure] Re: Filtering sobig with postfix
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of martin f krafft Sent: Wednesday, 20 August 2003 10:43 p.m. To: full-disclosure () lists netsys com Subject: [Full-disclosure] Re: Filtering sobig with postfix also sprach vogt () hansenet com <vogt () hansenet com> [2003.08.20.1017 +0200]:in main.cf, enable "body_checks = (filename)". In that (filename) file, write a regular expression matching sobig, e.g. something like /see attached file for details/ REJECTthis incurs a factor 2-4 performance drop, and it could also elicit false positives. you should definitely do more than just REJECT (i.e. write out a message: s/REJECT/554 Suspected virus/).
Yep, as the OP is using postfix, he could use the header_checks directive, which can identify MIME headers, so he can easily stop this worm. Just check for Content-Disposition header and block everything with .pif in filename. Regards, Bojan Zdrnja _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Filtering sobig with postfix vogt (Aug 20)
- Re: Filtering sobig with postfix martin f krafft (Aug 20)
- RE: Re: Filtering sobig with postfix Bojan Zdrnja (Aug 20)
- Re: Filtering sobig with postfix Valdis . Kletnieks (Aug 20)
- <Possible follow-ups>
- RE: Re: Filtering sobig with postfix Joshua Thomas (Aug 20)
- Re: Re: Filtering sobig with postfix securdz (Aug 21)
- RE: Re: Filtering sobig with postfix Bojan Zdrnja (Aug 21)
- RE: Re: Filtering sobig with postfix Joshua Thomas (Aug 21)
- RE: Re: Filtering sobig with postfix Paul Szabo (Aug 21)
- Re: Filtering sobig with postfix martin f krafft (Aug 20)