Block SOBER at MTA (postfix)

Scott Silva ssilva at SGVWATER.COM
Mon Dec 5 16:47:12 GMT 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Julian Field spake the following on 12/4/2005 7:49 AM:
> Drew Marshall wrote:
> 
>> On 4 Dec 2005, at 11:22, Dhawal Doshy wrote:
>>
>>> Hello All,
>>> A simple body check in postfix will reject all sober.u mails.  Create
>>> a file
>>> /etc/postfix/virus_body_checks with this content:
>>> /
>>> ^UEsDBAoAAAAAAACQdjPMyus3XtgAAF7YAAAYAAAARmlsZS1wYWNrZWRfZGF0YUluZm8uZ
>>> XhlTV qQ/
>>>       REJECT VIRUS (W32/Sober.U at MM)
>>
>>
>>
>> Nice. Smart way to prevent MailScanner swamping as Remco is 
>> experiencing.
>>
>>> OR download it from here..
>>> http://mx2.netmagicians.com/virus_body_checks
>>> And add this to your /etc/postfix/main.cf
>>> body_checks = regexp:/etc/postfix/virus_body_checks
>>> The string UEsDBAoAAAAAAA.... is the first mime encoded line of the 
>>> sober.u variant. This works well for sober but no 100% strike rate 
>>> (yet) for netsky.
>>> Going forward (if the interest exists) i think we ought to maintain 
>>> this for all supported MTAs and all (possible) new virus outbreaks.
>>
>>
>>
>> Agreed. Perhaps we can lift some of the regex's from the Clam virus 
>> definitions? I have no idea how possible this is/ maybe... 
> 
> 
> This sounds remarkably like you are trying to make a virus scanner of
> your own. You better be sure this is really the sort of thing you want
> to take on as a project. You'll have users wanting signatures very
> quickly and stuff like that, before you know where you are.
> Personally I would steer well clear of it, and try out various ways of
> deploying ClamAV at MTA level if that's what you want to achieve.
> Just my 2p worth...
> 
Julian is right on the money! Any paid programmer knows that if you
touch it once, you support it forever.



-- 

/-----------------------\           |~~\_____/~~\__  |
| MailScanner; The best |___________ \N1____====== )-+
| protection on the net!|                   ~~~|/~~  |
\-----------------------/                      ()

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list