I think it's even better filtering via your SMTP server, if you have one. It might be rejecting the message even before it "landed", based on partial transaction data (not sure about this with regard to "mime header check" I detail below).
In short, to stop *this virus only* add the following to your main.cf file. Make sure this is inserted before the "<...>restrictions" sections, if you have any (otherwise, they might "catch" before this one):
<<--------------------------->>
mime_header_checks = regexp:/etc/postfix/maps/mime_header_checks (verify location of file, where you would create it)
<<--------------------------->>
Then, create the file pointed above: /etc/postfix/maps/mime_header_checks, and isert the following into it:
<<--------------------------->>
/name=[^>]*your_document.pif/ REJECT
/name=[^>]*document_all.pif/ REJECT
/name=[^>]*thank_you.pif/ REJECT
/name=[^>]*your_details.pif/ REJECT
/name=[^>]*your_details.zip/ REJECT
/name=[^>]*details.pif/ REJECT
/name=[^>]*document_9446.pif/ REJECT
/name=[^>]*application.pif/ REJECT
/name=[^>]*wicked_scr.scr/ REJECT
/name=[^>]*movie0045.pif/ REJECT
<<--------------------------->>
Next, just /etc/init.d/postfix reload.
Credits: This is based on the Security Sage anti-spam with postfix guide (http://www.securitysage.com/guides/postfix_uce.html). Seems like a very good guide.
Boaz.
Omer Zak wrote:
Thanks to everyone who yelled "RTFM", in the most polite way possible. I googled and upgraded my .procmailrc file. The rule which I added is: :O * > 99000 * < 120000 * ^Content-Type:.*multipart/mixed; { :O B * ^See the attached file for details * ^Content-Transfer-Encoding: base64 * ^Content-Disposition: attachment; * ^.*filename=".*\.pif" /dev/null }
The rule does not catch messages whose attached file's extension is .scr.
I'll add a rule to catch those messages once I feel comfortable with the rule
which I already added.
Nadav Har'El wrote:
But the big problem isn't the virus - it's the bounces from all the peopleFor me, as for now, the big problem is not the bounces but the virus E-mails themselves.
that got this virus supposedly from me. These bounces include a anti-virus
spam (anti-virus makers know there is no point in replying to viruses, but
they do so anyway, as a way to "legitimately" spamvertize their products)
and bounces from non-existant or out-of-quota addresses. In the last two
days I got almost 400 bounces (!) and only about 40 copies of the actual
virus.
With each E-mail being 100KB long, and with about 180 E-mail messages a day, I have
to empty my mailbox very often or risk losing legitimate E-mail due to overflowing
mailbox.
--- Omer My opinions, as expressed in this E-mail message, are mine alone. They do not represent the official policy of any organization with which I may be affiliated in any way. WARNING TO SPAMMERS: at http://www.zak.co.il/spamwarning.html
================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
