| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <007101c36824$ebb4ec80$8f04d882@bzdrnja> From: Bojan.Zdrnja at LSS.hr (Bojan Zdrnja) Subject: Re: Filtering sobig with postfix > -----Original Message----- > From: full-disclosure-admin@...ts.netsys.com > [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of > vogt@...senet.com > Sent: Friday, 22 August 2003 12:06 a.m. > To: Bojan.Zdrnja@....hr; full-disclosure@...ts.netsys.com > Subject: AW: [Full-Disclosure] Re: Filtering sobig with postfix > > > > Yep, as the OP is using postfix, he could use the > > header_checks directive, > > which can identify MIME headers, so he can easily stop this worm. > > Just check for Content-Disposition header and block > > everything with .pif in > > filename. > > Thought about that, but doesn't quite work. The headers only say > multipart/mime. The .pif part comes later in the attachment. Postfix's header_check filter understands multi-line headers, including MIME headers in the message body. So, this should actually work in main.cf: header_checks = regexp:/etc/postfix/header_checks And in /etc/postfix/header_checks put: /filename=.*(your_details|your_document|document_all).pif/ REJECT You might want to reject all .pif files, and also: /(Virus found|VIRUS ALERT)/ DISCARD To discard all those messages originating from improperly configured MTA's, which were able to detect Sobig-F, but which still send notification to faked from: address. After you edit that file just issue: # /usr/sbin/postmap /etc/postfix/header_checks And I believe you're ready to go :) Regards, Bojan Zdrnja
Powered by blists - more mailing lists