Block SOBER at MTA (postfix)

Dhawal Doshy dhawal at NETMAGICSOLUTIONS.COM
Mon Dec 5 17:15:07 GMT 2005

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Scott Silva wrote:
> Julian Field spake the following on 12/4/2005 7:49 AM:
>>Drew Marshall wrote:
>>>On 4 Dec 2005, at 11:22, Dhawal Doshy wrote:
>>>>Hello All,
>>>>A simple body check in postfix will reject all sober.u mails.  Create
>>>>a file
>>>>/etc/postfix/virus_body_checks with this content:
>>>Nice. Smart way to prevent MailScanner swamping as Remco is 
>>>>Going forward (if the interest exists) i think we ought to maintain 
>>>>this for all supported MTAs and all (possible) new virus outbreaks.
>>>Agreed. Perhaps we can lift some of the regex's from the Clam virus 
>>>definitions? I have no idea how possible this is/ maybe... 
>>This sounds remarkably like you are trying to make a virus scanner of
>>your own. You better be sure this is really the sort of thing you want
>>to take on as a project. You'll have users wanting signatures very
>>quickly and stuff like that, before you know where you are.
>>Personally I would steer well clear of it, and try out various ways of
>>deploying ClamAV at MTA level if that's what you want to achieve.
>>Just my 2p worth...
> Julian is right on the money! Any paid programmer knows that if you
> touch it once, you support it forever.

As Drew mentioned, this is NOT supposed to replace a real AV but at the
same time i'd like having a feature where viruses are rejected without
much processing power. Plugging in an AV at the MTA is not such a great 
idea (no bandwidth savings and no decrease in resource usage).

What i was not sure about is when do these body checks take place.

a. Mail is almost accepted / rejected (just before 250 OK / 550 REJECT)
and then rejected in which case there is no substantial bandwidth 
saving. This is not the case as per the postfix-users list.
b. Rejected as soon as the offending MIME line is found, this is done
using the body_checks_size_limit (default 51200) in postfix. This is 
what really happens (see postfix ain't so bad after all).

I have a significant benefit (decrease in bandwidth and resource usage) 
in doing these checks, if someone benefits from this as well great!! but 
i completely agree in NOT converting this in to a project but rather 
continuing on a per incident basis in case of severe viral outbreaks and 
let MailScanner handle regular non-PITA/N worms (so any volunteers? :) ).

- dhawal

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki ( and
the archives (

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list