nanog mailing list archives

Re: Hijacked email

From: william+nanog () hq dreamhost com (Will Yardley)
Date: Wed, 20 Aug 2003 18:13:58 -0700


On Wed, Aug 20, 2003 at 11:28:27AM -0400, Omachonu Ogali wrote:


For our Postfix viewers out there...

header_checks:
/^X-MailScanner: Found to be clean$/    REJECT You're infected, but you probably won't see this message anyway.


Of course, this will also block legitimate messages that have been
scanned by whatever type of virus scanner adds that header.

Wietse suggests the following body check; it will work better with
Postfix 2.0:
http://sbserv.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_sobigf.shtml

This is working well for us.

You could also probably look for the following three lines in a row:

(I'll indent a space so they don't set off people who are blocking based
on the above rules):

 X-MailScanner: Found to be clean
 Importance: Normal
 X-Mailer: Microsoft Outlook Express 6.00.2600.0000

We're seeing a LOT of these today.... probably in the thousands per
second.

-- 
"Since when is skepticism un-American?
Dissent's not treason but they talk like it's the same..."
(Sleater-Kinney - "Combat Rock")

Current thread:

Hijacked email Jack.W.Parks (Aug 20)
- Re: Hijacked email Pascal Gloor (Aug 20)
  - Re: Hijacked email jlewis (Aug 20)
    - Re: Hijacked email Omachonu Ogali (Aug 20)
    - Re: Hijacked email Richard Irving (Aug 20)
    - Hey netscalibur! (was: Re: Hijacked email) Christopher Chin (Aug 20)
    - Re: Hey netscalibur! (was: Re: Hijacked email) just me (Aug 20)
    - Message not available
    - Re: Hey netscalibur! (was: Re: Hijacked email) Christopher Chin (Aug 20)
    - Re: Hijacked email Will Yardley (Aug 20)
    - Re: Hijacked email Will Yardley (Aug 20)
- Re: Hijacked email Nathan A. Stratton (Aug 20)
  - Re: Hijacked email Mr. James W. Laferriere (Aug 20)
- Re: Hijacked email Haesu (Aug 20)