The Monday 2004-02-02 at 18:26 +0100, Enrique Arizón wrote:
Has anyone succeded in configuring Postfix to reject
the MyDoom virus ? Maybe by touching header_checks or
some other trick.
Thanks in advance for any help!
They come as .zip attaches, of different names, and from different
addresses. I doubt there is a common header :-?
Amavis catches them, but after they are downloaded :-(
For example, one of them:
|Received: from localhost (localhost [127.0.0.1])
| by nimrodel.valinor (Postfix) with ESMTP id AD84CD498A
| for ; Sun, 1 Feb 2004 15:31:44 +0100 (CET)
|Original-Recipient: rfc822;robin1.listas****
|Received: from pop.tiscali.es [212.166.64.66]
| by localhost with POP3 (fetchmail-6.2.1 polling pop.tiscali.es account ****)
| for cer@localhost (single-drop); Sun, 01 Feb 2004 15:31:44 +0100 (CET)
|Received: from lebanon-online.com.lb (80.36.60.8) by netmail.tiscalinet.es (6.7.018)
| id 40052FD000414C20 for ****; Sat, 31 Jan 2004 21:39:06 +0100
|Message-ID: <40052FD000414C20@pop3.es.tisadm.net> (added by postmaster@netmail.tiscalinet.es)
|From: ray@lebanon-online.com.lb
|To: robin1.listas****
|Subject: Test
|Date: Sat, 31 Jan 2004 21:39:03 +0100
|MIME-Version: 1.0
|Content-Type: multipart/mixed;
| boundary="----=_NextPart_000_0005_485362AF.FF3BAC20"
|X-Priority: 3
|X-MSMail-Priority: Normal
See that the first "received" part (the bottom one) is written by my ISP,
tiscali. There is another one missing, that would have to be written by
lebanon-online.com.lb in this case; that's the common thing I see, and I
have no idea how to filter that. Another one:
|Received: from webanuncio.com (213.0.195.104) by netmail.tiscalinet.es (6.7.018)
| id 4005303C0049B179 for *****tiscali.es; Sun, 1 Feb 2004 15:48:05 +0100
|Message-ID: <4005303C0049B179@pop1.es.tisadm.net> (added by postmaster@netmail.tiscalinet.es)
|From: clasificados@webanuncio.com
|To: robin1.listas*
|Subject: Hi
|Date: Mon, 2 Feb 2004 15:45:06 +0100
|MIME-Version: 1.0
|Content-Type: multipart/mixed;
| boundary="----=_NextPart_000_0007_8A08AE09.2D68B09F"
|X-Priority: 3
|X-MSMail-Priority: Normal
Do you think there are common headers there that could be used, without
risk for legitimate emails?
The only way would be for big providers (like tiscali) to provide
antivirus checking, free of cost - at least, for these big bombings. They
would not only help their clients, but every body else, including
themselves: every virus that gets a "host" multiplies traffic to the same
provider that let the contamination pass through their servers a few
moments before. And them having 24/7 staff, are in a much better
position to react than their clients.
If not that, what somebody will propose sooner or later is banning all
email sent from local machines, and that would be too bad for many people,
like me, for example. Or enforce positive authentication for authorized
machines to send email, or something of the sort.
On TV I saw that they are already blaming the Worm/MyDoom.A2 on the Linux
movement making war on SCO and M$ :-(
--
Cheers,
Carlos Robinson