[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] Re: Filtering sobig with postfix
- To: "'Irwan Hadi'" <irwanhadi@phxby.com>, Bojan Zdrnja <Bojan.Zdrnja@LSS.hr>
- Subject: RE: [Full-Disclosure] Re: Filtering sobig with postfix
- From: Joshua Thomas <JThomas@poweronemedia.com>
- Date: Thu, 21 Aug 2003 20:26:40 -0400
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>RE: [Full-Disclosure] Re: Filtering sobig with postfix</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>Or, use:</FONT>
</P>
<P><FONT SIZE=2>/^TVqQAAMAAAAEAAAA\/\/8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA$/</FONT>
<BR><FONT SIZE=2> DISCARD Keep your viruses (sobig.f)</FONT>
</P>
<P><FONT SIZE=2>Shamelessly stolen from: <A HREF="http://sbserv.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_sobigf.shtml"; TARGET="_blank">http://sbserv.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_sobigf.shtml</A></FONT>
</P>
<P><FONT SIZE=2>Cheers,</FONT>
</P>
<P><FONT SIZE=2>Joshua Thomas</FONT>
<BR><FONT SIZE=2>Network Operations Engineer</FONT>
<BR><FONT SIZE=2>PowerOne Media, Inc.</FONT>
<BR><FONT SIZE=2>tel: 518-687-6143</FONT>
<BR><FONT SIZE=2>jthomas@poweronemedia.com </FONT>
</P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Irwan Hadi [<A HREF="mailto:irwanhadi@phxby.com";>mailto:irwanhadi@phxby.com</A>]</FONT>
<BR><FONT SIZE=2>Sent: Thursday, August 21, 2003 6:37 PM</FONT>
<BR><FONT SIZE=2>To: Bojan Zdrnja</FONT>
<BR><FONT SIZE=2>Cc: full-disclosure@netsys.com</FONT>
<BR><FONT SIZE=2>Subject: Re: [Full-Disclosure] Re: Filtering sobig with postfix</FONT>
</P>
<BR>
<P><FONT SIZE=2>On Fri, Aug 22, 2003 at 08:43:45AM +1200, Bojan Zdrnja wrote:</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> /filename=.*(your_details|your_document|document_all).pif/ REJECT</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> You might want to reject all .pif files, and also:</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> /(Virus found|VIRUS ALERT)/ DISCARD</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> To discard all those messages originating from improperly configured MTA's,</FONT>
<BR><FONT SIZE=2>> which were able to detect Sobig-F, but which still send notification to</FONT>
<BR><FONT SIZE=2>> faked from: address.</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> After you edit that file just issue:</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> # /usr/sbin/postmap /etc/postfix/header_checks</FONT>
<BR><FONT SIZE=2>> </FONT>
</P>
<P><FONT SIZE=2>you don't need to postmap the header checks file, because you are using</FONT>
<BR><FONT SIZE=2>regexp.</FONT>
<BR><FONT SIZE=2>You *only* need to postmap it, if you use hash:, dbm: or btree:</FONT>
</P>
<P><FONT SIZE=2>_______________________________________________</FONT>
<BR><FONT SIZE=2>Full-Disclosure - We believe in it.</FONT>
<BR><FONT SIZE=2>Charter: <A HREF="http://lists.netsys.com/full-disclosure-charter.html"; TARGET="_blank">http://lists.netsys.com/full-disclosure-charter.html</A></FONT>
</P>
</BODY>
</HTML>