[vox-tech] Virus deluge

Samuel N. Merritt vox-tech@lists.lugod.org
Wed, 28 Jan 2004 23:18:41 -0800


--7JfCtLOvnd9MIVvH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jan 27, 2004 at 05:35:12AM -0800, Rod Roark wrote:
> I just created and installed a Postfix remedy for the latest
> MS malware outbreak, and thought I'd pass it on.  I'm seeing
> a VERY high rate of connections from machines infected with
> this stuff.
>=20
> In main.cf, insert this:
>=20
> body_checks=3Dpcre:/etc/postfix/virus_body_checks
>=20
> Create a file virus_body_checks containing this:
>=20
> /^TVqQAAMAAAAEAAAA\/\/8AALg/ REJECT Emails with Microsoft executable atta=
chments are not allowed here.
> /^UEsDBAoAAAAAA...OzDKJx\+eAFgAAABYAA/ REJECT Attached zip file appears t=
o contain a virus.
>=20
> If anyone has an improved solution, let me know, but this
> seems to work.

Thanks! It's working for me. The attachments come in, but they don't
even hit procmail.=20

Something that plays nicely with this is to set=20

local_recipient_maps =3D $alias_maps, unix:passwd.byname

so that messages to invalid recipients get rejected in the SMTP
conversation. By default on Debian Woody (postfix 1.1.11), messages get
accepted for any user, and if the user is invalid, Postfix generates a
bounce message and sends it out.=20

Rejecting the message early saves 2*(message size) in bandwidth. This
gets significant with large worms.=20

Note that this is now the default in Postfix 2.0. (About time, IMHO.) It
used to be a FAQ back in the Postfix 1.x days, but it took me a fair bit
of Googling before I found an old Postfix 1.x FAQ that explained it.=20

That old FAQ is at
<http://www.muehlgasse.de/doc/packages/pfixtls/html/faq.html>.=20

--=20
Samuel Merritt
OpenPGP key is at http://meat.andcheese.org/~spam/spam_at_andcheese_dot_org=
.asc
Information about PGP can be found at http://www.mindspring.com/~aegreene/p=
gp/

--7JfCtLOvnd9MIVvH
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAGLPRW3tuPJ1t7wURAszCAJ4qisoFlIXmXCg5zo5868bR3yFSeQCgiZRB
XDx2ccakSjdWmtevN5l7ymU=
=KSEs
-----END PGP SIGNATURE-----

--7JfCtLOvnd9MIVvH--