nanog mailing list archives
Re: Hijacked email
From: william+nanog () hq dreamhost com (Will Yardley)
Date: Wed, 20 Aug 2003 18:13:58 -0700
On Wed, Aug 20, 2003 at 11:28:27AM -0400, Omachonu Ogali wrote:
For our Postfix viewers out there... header_checks: /^X-MailScanner: Found to be clean$/ REJECT You're infected, but you probably won't see this message anyway.
Of course, this will also block legitimate messages that have been scanned by whatever type of virus scanner adds that header. Wietse suggests the following body check; it will work better with Postfix 2.0: http://sbserv.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_sobigf.shtml This is working well for us. You could also probably look for the following three lines in a row: (I'll indent a space so they don't set off people who are blocking based on the above rules): X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 We're seeing a LOT of these today.... probably in the thousands per second. -- "Since when is skepticism un-American? Dissent's not treason but they talk like it's the same..." (Sleater-Kinney - "Combat Rock")
Current thread:
- Hijacked email Jack.W.Parks (Aug 20)
- Re: Hijacked email Pascal Gloor (Aug 20)
- Re: Hijacked email jlewis (Aug 20)
- Re: Hijacked email Omachonu Ogali (Aug 20)
- Re: Hijacked email Richard Irving (Aug 20)
- Hey netscalibur! (was: Re: Hijacked email) Christopher Chin (Aug 20)
- Re: Hey netscalibur! (was: Re: Hijacked email) just me (Aug 20)
- Re: Hijacked email jlewis (Aug 20)
- Message not available
- Re: Hey netscalibur! (was: Re: Hijacked email) Christopher Chin (Aug 20)
- Re: Hijacked email Pascal Gloor (Aug 20)
- Re: Hijacked email Will Yardley (Aug 20)
- Re: Hijacked email Will Yardley (Aug 20)
- Re: Hijacked email Mr. James W. Laferriere (Aug 20)