[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Re: Filtering sobig with postfix

To: <Bojan.Zdrnja@xxxxxx>
Subject: Re: [Full-Disclosure] Re: Filtering sobig with postfix
From: Craig Pratt <craig@xxxxxxxxxxxxxx>
Date: Wed, 20 Aug 2003 22:52:03 -0700

On Wednesday, Aug 20, 2003, at 20:51 US/Pacific, Bojan Zdrnja wrote:

-----Original Message-----
From: full-disclosure-admin@xxxxxxxxxxxxxxxx
[mailto:full-disclosure-admin@xxxxxxxxxxxxxxxx] On Behalf Of
martin f krafft
Sent: Wednesday, 20 August 2003 10:43 p.m.
To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] Re: Filtering sobig with postfix


also sprach vogt@xxxxxxxxxxxx <vogt@xxxxxxxxxxxx>
[2003.08.20.1017 +0200]:

in main.cf, enable "body_checks = (filename)". In that (filename)
file, write a regular expression matching sobig, e.g. something
like

/see attached file for details/ REJECT


this incurs a factor 2-4 performance drop, and it could also elicit
false positives. you should definitely do more than just REJECT
(i.e. write out a message: s/REJECT/554 Suspected virus/).

Yep, as the OP is using postfix, he could use the header_checks directive, which can identify MIME headers, so he can easily stop this worm. Just check for Content-Disposition header and block everything with .pif in filename.

Regards,

Bojan Zdrnja

You'd better check for a lot more than just .pif files. .scr and .exe files are critical as well.

And filtering on this stuff is problematic - since there are lots of ways to play with MIME headers - such as escaping characters and playing with the type fields. Check out Nessus's e-mail tests for some examples of the ways to subvert the kind of checks described here. You'd better be ready to write a few thousand REs.

If you want to really filter stuff, look at something like MailScanner (http://www.mailscanner.info) which has file-type/mime-type checking as just the first line of defense. The power and configurability of this system is amazing. It works with postfix and sendmail, and lots of virus scanners - if you choose to integrate one.

There's definitely a performance cost. But it's very smart about how it works - batching scans into a single job. Even if you scan during the SMTP exchange, there's going to be a cost. Such is life.

Craig

---
Craig Pratt
Strongbox Network Services Inc.
mailto:craigATstrong-box.net


--
This message checked for dangerous content by MailScanner on StrongBox.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: [Full-Disclosure] MS03-039 has been released - critical
Next by Date: [Full-Disclosure] Why does a home computer user need DCOM?
Previous by thread: Re: [Full-Disclosure] Microsoft Security Bulletin MS03-039
Next by thread: [Full-Disclosure] Re: Popular Net anonymity service back-doored
Index(es):
- Date
- Thread