Block SOBER at MTA (postfix)
Julian Field
MailScanner at ecs.soton.ac.uk
Sun Dec 4 15:49:51 GMT 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Drew Marshall wrote:
> On 4 Dec 2005, at 11:22, Dhawal Doshy wrote:
>
>> Hello All,
>> A simple body check in postfix will reject all sober.u mails. Create
>> a file
>> /etc/postfix/virus_body_checks with this content:
>> /
>> ^UEsDBAoAAAAAAACQdjPMyus3XtgAAF7YAAAYAAAARmlsZS1wYWNrZWRfZGF0YUluZm8uZ
>> XhlTV qQ/
>> REJECT VIRUS (W32/Sober.U at MM)
>
>
> Nice. Smart way to prevent MailScanner swamping as Remco is
> experiencing.
>
>> OR download it from here..
>> http://mx2.netmagicians.com/virus_body_checks
>> And add this to your /etc/postfix/main.cf
>> body_checks = regexp:/etc/postfix/virus_body_checks
>> The string UEsDBAoAAAAAAA.... is the first mime encoded line of the
>> sober.u variant. This works well for sober but no 100% strike rate
>> (yet) for netsky.
>> Going forward (if the interest exists) i think we ought to maintain
>> this for all supported MTAs and all (possible) new virus outbreaks.
>
>
> Agreed. Perhaps we can lift some of the regex's from the Clam virus
> definitions? I have no idea how possible this is/ maybe...
This sounds remarkably like you are trying to make a virus scanner of
your own. You better be sure this is really the sort of thing you want
to take on as a project. You'll have users wanting signatures very
quickly and stuff like that, before you know where you are.
Personally I would steer well clear of it, and try out various ways of
deploying ClamAV at MTA level if that's what you want to achieve.
Just my 2p worth...
--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list