On Fri, 2004-06-04 at 11:23, Arjen de Korte wrote:
As a side note, it is easy to drop this particular virus by using the Postfix 'smtpd_helo_restrictions' to drop all hosts claiming to be from within your own domain, which you know, are not.
smtpd_delay_reject = no smtpd_sender_restrictions = hash:/etc/postfix/access,reject_unknown_sender_domain smtpd_client_restrictions = smtpd_helo_required = yes disable_vrfy_command = yes strict_rfc821_envelopes = no smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, permit smtpd_data_restrictions = reject_unauth_pipelining, permit Couple of lines out of my postfix main.cf file. These lines alone have stopped almost 60% of inbound SPAM attempts, as well as reducing virii threats by huge percentages. I tries the strict_rfc821_envelopes = yes, but found that so many MTA's are configured poorley that too much legitimate mail was bouncing :( Thats Postfix, lightweigt, simple to configure, and flexible. B
---------- Forwarded Message ----------
Subject: Undelivered Mail Returned to Sender Date: Friday 04 June 2004 10:20 From: MAILER-DAEMON@suse.de (Mail Delivery System) To: suse-security@de-korte.org
This is the Postfix program at host hermes.suse.de.
I'm sorry to have to inform you that the message returned below could not be delivered to one or more destinations.
For further assistance, please send mail to <postmaster>
If you do so, please include this problem report. You can delete your own text from the message returned below.
The Postfix program
<25866@suse.de>: unknown user: "25866"
-------------------------------------------------------
Encapsulated message
Received: from scanhost.suse.de (scanhost.suse.de [10.0.0.5]) by hermes.suse.de (Postfix) with ESMTP id 85C238C9D for <25866@suse.de>; Fri, 4 Jun 2004 10:20:20 +0200 (CEST) Received: by scanhost.suse.de (Postfix, from userid 0) id 7B27951E5F; Fri, 4 Jun 2004 10:20:20 +0200 (CEST) Delivered-To: virus-quarantine X-Quarantine-id: <virus-20040604-101415-03775-17> Received: from Cantor.suse.de (cantor.suse.de [195.135.220.2]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by hermes.suse.de (Postfix) with ESMTP id 953E669115 for <25866@suse.de>; Fri, 4 Jun 2004 10:13:46 +0200 (CEST) Received: from suse.de (pD951F606.dip.t-dialin.net [217.81.246.6]) by Cantor.suse.de (Postfix) with ESMTP id 4B95668F3BE for <25866@suse.de>; Fri, 4 Jun 2004 10:13:32 +0200 (CEST) From: suse-security@de-korte.org To: 25866@suse.de Subject: Re: Your music Date: Fri, 4 Jun 2004 10:26:56 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <20040604081332.4B95668F3BE@Cantor.suse.de> X-AMaViS-Alert: INFECTED, message contains virus: Worm.SomeFool.Gen-1 X-Converted-To-Plain-Text: from multipart/mixed by demime 1.1d X-Converted-To-Plain-Text: Alternative section used was text/plain
Please have a look at the attached file.
[the SUSE virus scanner removed an attachment of type application/octet-stream which had a name of mp3music.pif] [if you need the message in its original form including all attachments, please ask the SENDER for a version free of viruses]
End of encapsulated message