On Wednesday, Aug 20, 2003, at 20:51 US/Pacific, Bojan Zdrnja wrote:
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of martin f krafft Sent: Wednesday, 20 August 2003 10:43 p.m. To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Re: Filtering sobig with postfix
also sprach [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2003.08.20.1017 +0200]:in main.cf, enable "body_checks = (filename)". In that (filename) file, write a regular expression matching sobig, e.g. something like
/see attached file for details/ REJECT
this incurs a factor 2-4 performance drop, and it could also elicit false positives. you should definitely do more than just REJECT (i.e. write out a message: s/REJECT/554 Suspected virus/).
Yep, as the OP is using postfix, he could use the header_checks directive,
which can identify MIME headers, so he can easily stop this worm.
Just check for Content-Disposition header and block everything with .pif in
filename.
Regards,
Bojan Zdrnja
You'd better check for a lot more than just .pif files. .scr and .exe files are critical as well.
And filtering on this stuff is problematic - since there are lots of ways to play with MIME headers - such as escaping characters and playing with the type fields. Check out Nessus's e-mail tests for some examples of the ways to subvert the kind of checks described here. You'd better be ready to write a few thousand REs.
If you want to really filter stuff, look at something like MailScanner (http://www.mailscanner.info) which has file-type/mime-type checking as just the first line of defense. The power and configurability of this system is amazing. It works with postfix and sendmail, and lots of virus scanners - if you choose to integrate one.
There's definitely a performance cost. But it's very smart about how it works - batching scans into a single job. Even if you scan during the SMTP exchange, there's going to be a cost. Such is life.
Craig
--- Craig Pratt Strongbox Network Services Inc. mailto:craigATstrong-box.net
-- This message checked for dangerous content by MailScanner on StrongBox.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
