Hi,
On Fri, 9 Jan 2004, Gary Smith wrote:
> In postfix I use the body.regexp for the body checks.
> file: /etc/postfix/main.cf
> body_checks = regexp:/etc/postfix/body_checks.regexp
>
> Contents (only three in there at this time)
>
> /^RSLxwtYBDB6FCv8ybBcS0zp9VU5of3K4BXuwyehTM0RI9IrSjVuwP94xfn0wgOjouKWzGXHVk3qg$/
> DISCARD Keep your viruses (sobig.f)
> /^AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v$/
> DISCARD Keep your viruses (swern)
> /^zIGArlZWu25ux319xWpqnnNzppaWy46OvKKizZqavLa2176+283N5sfH34uLmpKSoNvb7c7O3L29$/
> DISCARD keep your viruses (swern)
>
> not sure what system you use but this has stopped many of them in their
> tracks. When I want to test the virus scanner I just disable the checks
> and then they start flowig through again... :) That way I know the
> system is working. The in re-enable it to just drop this trash...
>
>BTW, if people have more virus definitions (regexp extracts) that they
> have something similar to please feel free to share them.
In /etc/postfix/mime_header_checks.pcre I have:
/^Content-(?:Disposition:\s+attachment;|Type:).*\b(?:file)?name\s*=.*\.(?:
ad[ep] |
asd |
ba[st] |
chm |
cmd |
com(?=$|") |
cpl |
crt |
dll |
eml |
exe |
hlp |
hta |
in[fs] |
isp |
jse? |
lnk |
md[betw] |
ms[cipt] |
nws |
ocx |
ops |
pcd |
p[ir]f |
reg |
sc[frt] |
sh[bsm] |
swf |
url |
vb[esx]? |
vxd |
ws[cfh] |
\{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}
)\b/x REJECT Windows executables not allowed
#__END__
and I call that from /etc/postfix/main.cf by way of:
mime_header_checks = pcre:/etc/postfix/mime_header_checks.pcre
(I stole that check from somewhere; I can't remember who originally wrote
it...)
This will probably not work for larger sites with pig-headed users since
it rejects all manner of Microsoft executable attachmemts, virus-laden or
not. My position is a) this is my mail system, b) I deem MS executable
attachments to be an unacceptable security risk to our network, and c) if
you are smart enough to send an attachment, you are smart enough to put it
in a zip file, tarball, etc. first (or conversely, if you're not smart
enough to use winzip you have no business mailing MS executables to my
users.)
<rant>
Besides, you should use a file transfer protocol for transferring files
and use mail for interpersonal communications; this prevents some jackass
manager from mailing a 30MB Powerpoint turd to everone in the office,
saturating the network, clogging the mail queue and grinding everyone's
mail service to a halt.
</rant>
Seriously though, drop the junk at the MTA, filter it with an AV scanner,
and use SA's MICROSOFT_EXECUTABLE rule as a last resort. Defense-in-depth
is your friend...
-- Bob
PS: I've also used the following in procmail but there are probably better
recipes out there:
:0
* B ??
(8AALgAAAAAAAAAQAA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|TVqQAAMAAAAEAAAA//8AAL|TVpQAAIAAAAEAA8A|TVqQAAMAAAAEAAAA)
{
:0
lists/crap/virus/.
}
-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
