[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030925220326.3800018064@euler.imar.ro>
Date: Thu, 25 Sep 2003 22:03:26 +0300
From: Liviu Daia <Liviu.Daia@...r.ro>
To: bugtraq@...urityfocus.com
Subject: Re: Ruh-Roh SOBIG.G?
On 25 September 2003, Dragos Ruiu <dr@....net> wrote:
[...]
> SOBIG Filter instructions for Postfix
> ---------------------------------------
> (compile with pcre - this is in the OpenBSD Ports tree already)
>
> 1) Add this to main.cf:
> mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp
>
> 2) Then put this in /etc/postfix/mime_header_checks.regexp:
> /filename=\"?(.*)\.(bat|chm|cmd|com|do|exe|hta|jse|rm|scr|pif|vbe|vbs|vxd|xl)\"?$/
> REJECT For security reasons we reject attachments of this type
[...]
Your recipe uses a regexp map, not a pcre one, it's very slow
(especially on OpenBSD), and incomplete. Here's a better one:
(1) Make sure you have Postfix 2.0.x, compiled with support for PCRE.
Run this to find out:
postconf -d mail_version
postconf -m | grep pcre
(2) Add this to main.cf:
mime_header_checks = pcre:/etc/postfix/mime_header_checks.pcre
(3) Put this in /etc/postfix/mime_header_checks.pcre (the last pattern
is supposed to catch CLSID extensions):
/^Content-(?:Disposition:\s+attachment;|Type:).*\b(?:file)?name\s*=.*\.(?:
ad[ep] |
asd |
ba[st] |
chm |
cmd |
com(?=$|") |
cpl |
crt |
dll |
eml |
exe |
hlp |
hta |
in[fs] |
isp |
jse? |
lnk |
md[betw] |
ms[cipt] |
nws |
ocx |
ops |
pcd |
p[ir]f |
reg |
sc[frt] |
sh[bsm] |
swf |
url |
vb[esx]? |
vxd |
ws[cfh] |
\{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}
)\b/x REJECT Windows executables not allowed
(4) Add more extensions you feel you should block;
(5) Run:
postfix reload
Change REJECT above to DISCARD at attack peak times, to save other
machines the trouble of bouncing your rejects. Of course, collateral
damages of the discards are to be expected too.
Regards,
Liviu Daia
--
Dr. Liviu Daia e-mail: Liviu.Daia@...r.ro
Institute of Mathematics web page: http://www.imar.ro/~daia
of the Romanian Academy PGP key: http://www.imar.ro/~daia/daia.asc
Powered by blists - more mailing lists