Windows worms and mail server config
Bevan C. Bennett
bevan at fulcrummicro.com
Fri Jan 30 19:15:49 UTC 2004
Pedro Fernandes Macedo wrote:
> After those recent freaking virii around , I'm trying to find a way to
> block them...
> What's the best way to do this?
> I want to avoid sending unnecessary bounces (specially because I'm the
> postmaster for a domain that has about 1300 users and lots of virii
> bounces dailly , which are almost driving me mad, so I want to avoid
> unnecessary pain to other domain admins) ...
It's much better to reject a virus (or other likely-to-have-forged-info
message) during the initial SMTP transaction (when you know you're
connected with the real sender) rather than bounce it (when you have to
rely on the headers).
For these high-volume virii, I've been using the body_checks feature of
postfix for a quick-and-dirty (but effective) block.
In /etc/postfix/main.cf
body_checks = pcre:/etc/postfix/body_checks
In /etc/postfix/body_checks I then stick things like:
/name="\w+.pIf"/ REJECT
/ZGUuDQ0KJAAAAAAAAAB\+i6hSOurGATrqxgE66sYBQfbKATvqxgG\59sgBLerGAdL1zAEA6sYBWPXV/
REJECT
The former (change pIf to pif) might hit an innocent email (like this
one if I'd said "pif" in that line) but I can't think of any legitimate
reason why someone would need that string.
The latter is one line from the recent worm payload, which is the same
regardless of the randomization of attachment names and types.
It's theoretically possible that a 'good' attachment might include the
same line of encoding somewhere, but very very unlikely.
Doing this will put more load on your server (it needs to actually scan
message bodies now) but seems to work well at keeping known nasties out
without contributing to the 'bounce problem'. I should use better
pattern matches to just stop any of a variety of annoying attachment
types, but haven't had the time to design and test them yet.
I have a test system running with integrated spamassassin, but I'll
probably still utilize something like this because it can reject virii
earlier in the process.
More information about the fedora-list
mailing list