Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
Re: [suse-security] Postfix and w32.swen.A
  • From: "Theo v. Werkhoven" <twe-suse.sec@xxxxxxxxxxxxxxxxxxxx>
  • Date: Wed, 24 Sep 2003 21:30:59 +0200
  • Message-id: <20030924193059.GA11363@xxxxxxxxxxxxxxxx>
On Tue, 23 Sep 2003, Vaclav made the net somewhat safer by saying:

> Hello,
>
> recently I have introduced to postfix the mime_header_check with the
> rule to bounce messages including attachments with executable files
> based on a suggestion in this list. I have tested that and it seemed
> to work fine. Nevertheless since Sunday I am receiving (and other
> users of the server, too) many mails containing the w32.swen.A. It's
> strange, as this mail contains a file xxxx.exe attached. Is there a
> way to modify the postfix conffiguration to stop these (and may be
> similar mails in the future) mails? Seems that this type of
> attachment bypasses somehow this filtre. I have checked the message,
> and did not find a difference with otrher types of attachments.

Check Ralf Hildebrandts site
<http://www.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_sobigf.shtml>

I'm using simpel headerchecks on the Subject and From myself, plus a
message_size_limit of 64kB, which seems effective enough.

/^Subject:.*Last Net Pack/
DISCARD Possible virus, don't need it anyway
/From:.*(microsoft|ms)\s+(internet|corporation|program|technical|customer|email|network)/
DISCARD Possible virus, don't need it anyway
/From:.*(customer|security)\s+(assistance|service|bulletin)/
DISCARD Possible virus, don't need it anyway
/From:.*network\s+message/
DISCARD Possible virus, don't need it anyway

All pcre.

Theo
--
Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org
ICBM 52 13 27N , 4 29 45E.
SuSE 8.2 x86
Kernel k_Athlon 2.4.20-4GB
See headers for PGP/GPG info.
< Previous Next >
References