> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > martin f krafft > Sent: Wednesday, 20 August 2003 10:43 p.m. > To: [EMAIL PROTECTED] > Subject: [Full-Disclosure] Re: Filtering sobig with postfix > > > also sprach [EMAIL PROTECTED] <[EMAIL PROTECTED]> > [2003.08.20.1017 +0200]: > > in main.cf, enable "body_checks = (filename)". In that (filename) > > file, write a regular expression matching sobig, e.g. something > > like > > > > /see attached file for details/ REJECT > > this incurs a factor 2-4 performance drop, and it could also elicit > false positives. you should definitely do more than just REJECT > (i.e. write out a message: s/REJECT/554 Suspected virus/).
Yep, as the OP is using postfix, he could use the header_checks directive, which can identify MIME headers, so he can easily stop this worm. Just check for Content-Disposition header and block everything with .pif in filename. Regards, Bojan Zdrnja _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
