Block SOBER at MTA (postfix)
Drew Marshall
drew at THEMARSHALLS.CO.UK
Sun Dec 4 15:35:58 GMT 2005
On 4 Dec 2005, at 11:22, Dhawal Doshy wrote:
> Hello All,
> A simple body check in postfix will reject all sober.u mails.
> Create a file
> /etc/postfix/virus_body_checks with this content:
> /
> ^UEsDBAoAAAAAAACQdjPMyus3XtgAAF7YAAAYAAAARmlsZS1wYWNrZWRfZGF0YUluZm8uZ
> XhlTV qQ/
> REJECT VIRUS (W32/Sober.U at MM)
Nice. Smart way to prevent MailScanner swamping as Remco is
experiencing.
> OR download it from here..
> http://mx2.netmagicians.com/virus_body_checks
> And add this to your /etc/postfix/main.cf
> body_checks = regexp:/etc/postfix/virus_body_checks
> The string UEsDBAoAAAAAAA.... is the first mime encoded line of the
> sober.u variant. This works well for sober but no 100% strike rate
> (yet) for netsky.
> Going forward (if the interest exists) i think we ought to maintain
> this for all supported MTAs and all (possible) new virus outbreaks.
Agreed. Perhaps we can lift some of the regex's from the Clam virus
definitions? I have no idea how possible this is/ maybe...
Drew
--
In line with our policy, this message has
been scanned for viruses and dangerous
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list