RE: Re: Filtering sobig with postfix

["Bojan Zdrnja" <Bojan.Zdrnja () LSS hr>]

> -----Original Message-----
> From: full-disclosure-admin () lists netsys com 
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
> vogt () hansenet com
> Sent: Friday, 22 August 2003 12:06 a.m.
> To: Bojan.Zdrnja () LSS hr; full-disclosure () lists netsys com
> Subject: AW: [Full-disclosure] Re: Filtering sobig with postfix
>
>
> > Yep, as the OP is using postfix, he could use the 
> > header_checks directive,
> > which can identify MIME headers, so he can easily stop this worm.
> > Just check for Content-Disposition header and block 
> > everything with .pif in
> > filename.
>
> Thought about that, but doesn't quite work. The headers only say
> multipart/mime. The .pif part comes later in the attachment.

Postfix's header_check filter understands multi-line headers, including MIME
headers in the message body.

So, this should actually work in main.cf:

header_checks = regexp:/etc/postfix/header_checks


And in /etc/postfix/header_checks put:

/filename=.*(your_details|your_document|document_all).pif/ REJECT

You might want to reject all .pif files, and also:

/(Virus found|VIRUS ALERT)/ DISCARD


To discard all those messages originating from improperly configured MTA's,
which were able to detect Sobig-F, but which still send notification to
faked from: address.

After you edit that file just issue:

# /usr/sbin/postmap /etc/postfix/header_checks


And I believe you're ready to go :)

Regards,

Bojan Zdrnja

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html