Block SOBER at MTA (postfix)

Scott Silva ssilva at SGVWATER.COM
Mon Dec 5 16:47:12 GMT 2005

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Julian Field spake the following on 12/4/2005 7:49 AM:
> Drew Marshall wrote:
>> On 4 Dec 2005, at 11:22, Dhawal Doshy wrote:
>>> Hello All,
>>> A simple body check in postfix will reject all sober.u mails.  Create
>>> a file
>>> /etc/postfix/virus_body_checks with this content:
>>> /
>>> XhlTV qQ/
>>>       REJECT VIRUS (W32/Sober.U at MM)
>> Nice. Smart way to prevent MailScanner swamping as Remco is 
>> experiencing.
>>> OR download it from here..
>>> And add this to your /etc/postfix/
>>> body_checks = regexp:/etc/postfix/virus_body_checks
>>> The string UEsDBAoAAAAAAA.... is the first mime encoded line of the 
>>> sober.u variant. This works well for sober but no 100% strike rate 
>>> (yet) for netsky.
>>> Going forward (if the interest exists) i think we ought to maintain 
>>> this for all supported MTAs and all (possible) new virus outbreaks.
>> Agreed. Perhaps we can lift some of the regex's from the Clam virus 
>> definitions? I have no idea how possible this is/ maybe... 
> This sounds remarkably like you are trying to make a virus scanner of
> your own. You better be sure this is really the sort of thing you want
> to take on as a project. You'll have users wanting signatures very
> quickly and stuff like that, before you know where you are.
> Personally I would steer well clear of it, and try out various ways of
> deploying ClamAV at MTA level if that's what you want to achieve.
> Just my 2p worth...
Julian is right on the money! Any paid programmer knows that if you
touch it once, you support it forever.


/-----------------------\           |~~\_____/~~\__  |
| MailScanner; The best |___________ \N1____====== )-+
| protection on the net!|                   ~~~|/~~  |
\-----------------------/                      ()

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki ( and
the archives (

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list