[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] Re: Filtering sobig with postfix
- To: "'Bojan.Zdrnja@lss.hr'" <Bojan.Zdrnja@lss.hr>, full-disclosure@lists.netsys.com
- Subject: RE: [Full-Disclosure] Re: Filtering sobig with postfix
- From: Joshua Thomas <JThomas@poweronemedia.com>
- Date: Thu, 21 Aug 2003 00:48:15 -0400
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>RE: [Full-Disclosure] Re: Filtering sobig with postfix</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>Thank you, Thank you, Thank you.</FONT>
</P>
<P><FONT SIZE=2>I just set up a box with postfix, and have been trying to figure out how to do this.</FONT>
</P>
<P><FONT SIZE=2>Joshua Thomas</FONT>
<BR><FONT SIZE=2>Network Operations Engineer</FONT>
<BR><FONT SIZE=2>PowerOne Media, Inc.</FONT>
<BR><FONT SIZE=2>tel: 518-687-6143</FONT>
<BR><FONT SIZE=2>jthomas@poweronemedia.com </FONT>
</P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Bojan Zdrnja [<A HREF="mailto:Bojan.Zdrnja@lss.hr";>mailto:Bojan.Zdrnja@lss.hr</A>]</FONT>
<BR><FONT SIZE=2>Sent: Wednesday, August 20, 2003 11:52 PM</FONT>
<BR><FONT SIZE=2>To: full-disclosure@lists.netsys.com</FONT>
<BR><FONT SIZE=2>Subject: RE: [Full-Disclosure] Re: Filtering sobig with postfix</FONT>
</P>
<BR>
<BR>
<BR>
<P><FONT SIZE=2>> -----Original Message-----</FONT>
<BR><FONT SIZE=2>> From: full-disclosure-admin@lists.netsys.com </FONT>
<BR><FONT SIZE=2>> [<A HREF="mailto:full-disclosure-admin@lists.netsys.com";>mailto:full-disclosure-admin@lists.netsys.com</A>] On Behalf Of </FONT>
<BR><FONT SIZE=2>> martin f krafft</FONT>
<BR><FONT SIZE=2>> Sent: Wednesday, 20 August 2003 10:43 p.m.</FONT>
<BR><FONT SIZE=2>> To: full-disclosure@lists.netsys.com</FONT>
<BR><FONT SIZE=2>> Subject: [Full-Disclosure] Re: Filtering sobig with postfix</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> also sprach vogt@hansenet.com <vogt@hansenet.com> </FONT>
<BR><FONT SIZE=2>> [2003.08.20.1017 +0200]:</FONT>
<BR><FONT SIZE=2>> > in main.cf, enable "body_checks = (filename)". In that (filename)</FONT>
<BR><FONT SIZE=2>> > file, write a regular expression matching sobig, e.g. something</FONT>
<BR><FONT SIZE=2>> > like</FONT>
<BR><FONT SIZE=2>> > </FONT>
<BR><FONT SIZE=2>> > /see attached file for details/ REJECT</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> this incurs a factor 2-4 performance drop, and it could also elicit</FONT>
<BR><FONT SIZE=2>> false positives. you should definitely do more than just REJECT</FONT>
<BR><FONT SIZE=2>> (i.e. write out a message: s/REJECT/554 Suspected virus/).</FONT>
</P>
<P><FONT SIZE=2>Yep, as the OP is using postfix, he could use the header_checks directive,</FONT>
<BR><FONT SIZE=2>which can identify MIME headers, so he can easily stop this worm.</FONT>
<BR><FONT SIZE=2>Just check for Content-Disposition header and block everything with .pif in</FONT>
<BR><FONT SIZE=2>filename.</FONT>
</P>
<P><FONT SIZE=2>Regards,</FONT>
</P>
<P><FONT SIZE=2>Bojan Zdrnja</FONT>
</P>
<P><FONT SIZE=2>_______________________________________________</FONT>
<BR><FONT SIZE=2>Full-Disclosure - We believe in it.</FONT>
<BR><FONT SIZE=2>Charter: <A HREF="http://lists.netsys.com/full-disclosure-charter.html"; TARGET="_blank">http://lists.netsys.com/full-disclosure-charter.html</A></FONT>
</P>
</BODY>
</HTML>