[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] Re: Filtering sobig with postfix
- To: <full-disclosure@lists.netsys.com>
- Subject: RE: [Full-Disclosure] Re: Filtering sobig with postfix
- From: "Bojan Zdrnja" <Bojan.Zdrnja@LSS.hr>
- Date: Fri, 22 Aug 2003 08:43:45 +1200
> -----Original Message-----
> From: full-disclosure-admin@lists.netsys.com
> [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of
> vogt@hansenet.com
> Sent: Friday, 22 August 2003 12:06 a.m.
> To: Bojan.Zdrnja@LSS.hr; full-disclosure@lists.netsys.com
> Subject: AW: [Full-Disclosure] Re: Filtering sobig with postfix
>
>
> > Yep, as the OP is using postfix, he could use the
> > header_checks directive,
> > which can identify MIME headers, so he can easily stop this worm.
> > Just check for Content-Disposition header and block
> > everything with .pif in
> > filename.
>
> Thought about that, but doesn't quite work. The headers only say
> multipart/mime. The .pif part comes later in the attachment.
Postfix's header_check filter understands multi-line headers, including MIME
headers in the message body.
So, this should actually work in main.cf:
header_checks = regexp:/etc/postfix/header_checks
And in /etc/postfix/header_checks put:
/filename=.*(your_details|your_document|document_all).pif/ REJECT
You might want to reject all .pif files, and also:
/(Virus found|VIRUS ALERT)/ DISCARD
To discard all those messages originating from improperly configured MTA's,
which were able to detect Sobig-F, but which still send notification to
faked from: address.
After you edit that file just issue:
# /usr/sbin/postmap /etc/postfix/header_checks
And I believe you're ready to go :)
Regards,
Bojan Zdrnja
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html