Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
Re: [suse-security] Postfix and w32.swen.A
  • From: Felipe Alfaro Solana <felipe_alfaro@xxxxxxxxxxxxx>
  • Date: Thu, 25 Sep 2003 16:28:52 +0200
  • Message-id: <1064500132.1282.9.camel@xxxxxxxxxxxxxxxxxxxxxxxx>
On Tue, 2003-09-23 at 09:04, Vaclav Brunnhofer wrote:
> recently I have introduced to postfix the mime_header_check with the
> rule to bounce messages including attachments with executable files
> based on a suggestion in this list. I have tested that and it seemed
> to work fine. Nevertheless since Sunday I am receiving (and other
> users of the server, too) many mails containing the w32.swen.A. It's
> strange, as this mail contains a file xxxx.exe attached. Is there a
> way to modify the postfix conffiguration to stop these (and may be
> similar mails in the future) mails? Seems that this type of
> attachment bypasses somehow this filtre. I have checked the message,
> and did not find a difference with otrher types of attachments.

Use the following "body_checks" postfix filters to perform filtering
based on the real message body:

/^begin\s+\d{3}\s+.+?\.(bat|chm|cmd|cnm|com|exe|hta|jse?|lnk|pif|reg|scr|shb|shs|vb[esx]|vdx|ws[fh])\n?$/ REJECT

/^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.(bat|chm|cmd|cnm|com|exe|hta|jse?|lnk|pif|reg|scr|shb|shs|vb[esx]|vdx|ws[fh])"?\n?$/ REJECT

/^\s+(file)?name="?.+?\.(bat|chm|cmd|cnm|com|exe|hta|jse?|lnk|pif|reg|scr|shb|shs|vb[esx]|vdx|ws[fh])"?\n?$/ REJECT

This will stop nearly Windows-work-virus-carrying dangerous payload.


< Previous Next >
References