Block SOBER at MTA (postfix)

Julian Field MailScanner at ecs.soton.ac.uk
Sun Dec 4 15:49:51 GMT 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Drew Marshall wrote:

> On 4 Dec 2005, at 11:22, Dhawal Doshy wrote:
>
>> Hello All,
>> A simple body check in postfix will reject all sober.u mails.  Create 
>> a file
>> /etc/postfix/virus_body_checks with this content:
>> / 
>> ^UEsDBAoAAAAAAACQdjPMyus3XtgAAF7YAAAYAAAARmlsZS1wYWNrZWRfZGF0YUluZm8uZ 
>> XhlTV qQ/
>>       REJECT VIRUS (W32/Sober.U at MM)
>
>
> Nice. Smart way to prevent MailScanner swamping as Remco is  
> experiencing.
>
>> OR download it from here..
>> http://mx2.netmagicians.com/virus_body_checks
>> And add this to your /etc/postfix/main.cf
>> body_checks = regexp:/etc/postfix/virus_body_checks
>> The string UEsDBAoAAAAAAA.... is the first mime encoded line of the  
>> sober.u variant. This works well for sober but no 100% strike rate  
>> (yet) for netsky.
>> Going forward (if the interest exists) i think we ought to maintain  
>> this for all supported MTAs and all (possible) new virus outbreaks.
>
>
> Agreed. Perhaps we can lift some of the regex's from the Clam virus  
> definitions? I have no idea how possible this is/ maybe... 

This sounds remarkably like you are trying to make a virus scanner of 
your own. You better be sure this is really the sort of thing you want 
to take on as a project. You'll have users wanting signatures very 
quickly and stuff like that, before you know where you are.
Personally I would steer well clear of it, and try out various ways of 
deploying ClamAV at MTA level if that's what you want to achieve.
Just my 2p worth...

-- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list