[Dshield] Netsky.B postfix filter

Tony Earnshaw tonye at billy.demon.nl
Thu Feb 19 16:27:12 GMT 2004


tor, 19.02.2004 kl. 10.34 skrev Ruigrok, Jeroen:

> For those of you using postfix:
> 
> /.*name="?(document|msg|doc|talk|message|creditcard|details|attachment|me|st
> uff|
> posting|textfile|concert|information|note|bill|swimmingpool|product|topselle
> r|ps
> |shower|aboutyou|nomoney|found|story|mails|website|friend|jokes|location|fin
> al|r
> elease|dinner|ranking|object|mail2|part2|disco|party|misc)\.(doc|htm|rtf|txt
> )?\.
> (com|exe|pif|scr)"?/ DISCARD infected with W32.NetSky.B
> 
> in header checks...

(Raises hand.) Do you seriously mean that Epson Europe is implementing
this Postfix header check? Or is Epson thinking of using it?

To my mind, it's superfluously redundant. How about body checks for
actual content? Or even an amavisd-new-driven virus scanner?

Do you have an actual initial string (or actual initial strings) for
body Content-Type? something that looks like:

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v

and so on?

Better to do a body check on this kind of stuff, or rely on a virus
scanner.

> Reason for discard is that it may spoof the from

Oh, it will.

A better forum could be the Postfix list, since that's full of
mailadmins who have to cope with this kind of thing on a daily basis.
There are some pretty big orgs represented on that list, even bigger
than Epson Europe.

Best,

--Tonni

-- 

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl




More information about the list mailing list