Block SOBER at MTA (postfix)

Julian Field MailScanner at
Sun Dec 4 15:49:51 GMT 2005

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Drew Marshall wrote:

> On 4 Dec 2005, at 11:22, Dhawal Doshy wrote:
>> Hello All,
>> A simple body check in postfix will reject all sober.u mails.  Create 
>> a file
>> /etc/postfix/virus_body_checks with this content:
>> / 
>> XhlTV qQ/
>>       REJECT VIRUS (W32/Sober.U at MM)
> Nice. Smart way to prevent MailScanner swamping as Remco is  
> experiencing.
>> OR download it from here..
>> And add this to your /etc/postfix/
>> body_checks = regexp:/etc/postfix/virus_body_checks
>> The string UEsDBAoAAAAAAA.... is the first mime encoded line of the  
>> sober.u variant. This works well for sober but no 100% strike rate  
>> (yet) for netsky.
>> Going forward (if the interest exists) i think we ought to maintain  
>> this for all supported MTAs and all (possible) new virus outbreaks.
> Agreed. Perhaps we can lift some of the regex's from the Clam virus  
> definitions? I have no idea how possible this is/ maybe... 

This sounds remarkably like you are trying to make a virus scanner of 
your own. You better be sure this is really the sort of thing you want 
to take on as a project. You'll have users wanting signatures very 
quickly and stuff like that, before you know where you are.
Personally I would steer well clear of it, and try out various ways of 
deploying ClamAV at MTA level if that's what you want to achieve.
Just my 2p worth...

Julian Field
Buy the MailScanner book at
Professional Support Services at
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki ( and
the archives (

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list