Hello, all - I found a way to bounce the virus-infected messages that have been hitting this list over the past week from within Postfix. It is actually a rather broad method - we're now blocking ALL messages that include UPX-compressed executable files.
After noticing that a lot of virus and worm programs were listed as having been compressed with UPX, I searched GOOGLE in a vain attempt to find out what "signature" was common to UPX executables. No one listed one, so I resorted to using UPX on a variety of files and comparing them. I came up with three REGEXPs to do the job, but only the first two are really necessary. If you are taking advantage of Postfix's body expression filtering, add to your list one or both of the following (the first being the best, in my opinion, in light of the fact that Postfix only checks one line at a time): /^TV......................AAAAAAAAHAAAAA.............J9x6ptYCMyAUFAI7YB...$/i /^jsD986X8LoBsEhBz55KvrQ4O..................VQWCELAwMI....................$/i These match the first two lines of any UPX-compressed EXE file that has been MIME encoded. The /i is important; it forces Postfix to check in a CASE-SENSITIVE manner, to reduce false positives. You will, of course, have to add your own prefered actions to the lines; I have Postfix bounce the message with a "Possible infected binary rejected" response. This has NOT been tested extensively - while the REGEXP matched 100% of the UPX-compressed and 0% of the non-UPX-compressed files I tested, I only tested a dozen, so your results might vary. It's already bounced two messages from this list in the 24 hours I've had it online. -- Jeff Brenton Vice President, Engineered Software Products, Inc http://espi.com Questionable web page: http://dididahdahdidit.com Liberalism grants you the freedom to advocate any idea*. * Please see http://www.dididahdahdidit.com/except.php for a current list of exceptions
