> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Friday, 22 August 2003 12:06 a.m. > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: AW: [Full-Disclosure] Re: Filtering sobig with postfix > > > > Yep, as the OP is using postfix, he could use the > > header_checks directive, > > which can identify MIME headers, so he can easily stop this worm. > > Just check for Content-Disposition header and block > > everything with .pif in > > filename. > > Thought about that, but doesn't quite work. The headers only say > multipart/mime. The .pif part comes later in the attachment.
Postfix's header_check filter understands multi-line headers, including MIME headers in the message body. So, this should actually work in main.cf: header_checks = regexp:/etc/postfix/header_checks And in /etc/postfix/header_checks put: /filename=.*(your_details|your_document|document_all).pif/ REJECT You might want to reject all .pif files, and also: /(Virus found|VIRUS ALERT)/ DISCARD To discard all those messages originating from improperly configured MTA's, which were able to detect Sobig-F, but which still send notification to faked from: address. After you edit that file just issue: # /usr/sbin/postmap /etc/postfix/header_checks And I believe you're ready to go :) Regards, Bojan Zdrnja _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
