Block SOBER at MTA (postfix)
Scott Silva
ssilva at SGVWATER.COM
Mon Dec 5 16:47:12 GMT 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Julian Field spake the following on 12/4/2005 7:49 AM:
> Drew Marshall wrote:
>
>> On 4 Dec 2005, at 11:22, Dhawal Doshy wrote:
>>
>>> Hello All,
>>> A simple body check in postfix will reject all sober.u mails. Create
>>> a file
>>> /etc/postfix/virus_body_checks with this content:
>>> /
>>> ^UEsDBAoAAAAAAACQdjPMyus3XtgAAF7YAAAYAAAARmlsZS1wYWNrZWRfZGF0YUluZm8uZ
>>> XhlTV qQ/
>>> REJECT VIRUS (W32/Sober.U at MM)
>>
>>
>>
>> Nice. Smart way to prevent MailScanner swamping as Remco is
>> experiencing.
>>
>>> OR download it from here..
>>> http://mx2.netmagicians.com/virus_body_checks
>>> And add this to your /etc/postfix/main.cf
>>> body_checks = regexp:/etc/postfix/virus_body_checks
>>> The string UEsDBAoAAAAAAA.... is the first mime encoded line of the
>>> sober.u variant. This works well for sober but no 100% strike rate
>>> (yet) for netsky.
>>> Going forward (if the interest exists) i think we ought to maintain
>>> this for all supported MTAs and all (possible) new virus outbreaks.
>>
>>
>>
>> Agreed. Perhaps we can lift some of the regex's from the Clam virus
>> definitions? I have no idea how possible this is/ maybe...
>
>
> This sounds remarkably like you are trying to make a virus scanner of
> your own. You better be sure this is really the sort of thing you want
> to take on as a project. You'll have users wanting signatures very
> quickly and stuff like that, before you know where you are.
> Personally I would steer well clear of it, and try out various ways of
> deploying ClamAV at MTA level if that's what you want to achieve.
> Just my 2p worth...
>
Julian is right on the money! Any paid programmer knows that if you
touch it once, you support it forever.
--
/-----------------------\ |~~\_____/~~\__ |
| MailScanner; The best |___________ \N1____====== )-+
| protection on the net!| ~~~|/~~ |
\-----------------------/ ()
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list