Home | Comics | wishlist | Impressum | Datenschutzerklärung | 23.20.25.122


How to use Postfix to stop SOBIG.F

What's the idea here?

You want to block SOBIG.F before it hits your antivirus software and wastes precious resources.

Specific solution: body_checks

Here's a body_checks rule that stops today's SOBIG virus outburst. I use this with Postfix 2.0 which only body_checks the first 50kbytes of each attachment. Wietse

In main.cf you must use:

body_checks = regexp:/etc/postfix/body_checks.regexp
And /etc/postfix/body_checks.regexp (download it here) contains:
/^TVqQAAMAAAAEAAAA\/\/8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA$/
   REJECT Keep your executables!
The leading spaces before REJECT are important! Note: This pattern seems to match all DOS executables. It may not be what you want!

Dr. Bieringer created another pattern:

/^RSLxwtYBDB6FCv8ybBcS0zp9VU5of3K4BXuwyehTM0RI9IrSjVuwP94xfn0wgOjouKWzGXHVk3qg$/
   DISCARD Keep your viruses (sobig.f)
which may be more precise!

Don't forget "postfix reload"!

The log should look like this now:

Aug 20 09:31:44 mail postfix/cleanup[11686]: 435B715C01F: reject: body ... snipped ... from gate2.ks.se[193.10.63.101]; from=<sender@example.com> to=<spamtrap@example.com> proto=ESMTP helo=<PC443377>: Keep your viruses (sobig.f)
The use of REJECT is safe, because:

Generic solution: mime_header_checks (Postfix-2.x only!)

The generic solution is to disallow certain known to be dangerous attachment types. Basically, this is everything Microsoft invented. In main.cf you must use:
mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp
And /etc/postfix/mime_header_checks.regexp (download it here) contains:
/filename=\"?(.*)\.(bat|chm|cmd|com|do|exe|hta|jse|rm|scr|pif|vbe|vbs|vxd|xl)\"?$/
   REJECT For security reasons we reject attachments of this type
Georg Gell recommends that you could also use:
mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp
and /etc/postfix/mime_header_checks.regexp (download it here) contains:
/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\.(lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wav|mov|wmf|xl))"?\s*$/
   REJECT Attachment type not allowed. File "$2" has the unacceptable extension "$3"
The leading spaces before REJECT are important in both cases!

Don't forget "postfix reload"!


© by Ralf Hildebrandt
This document contains links to external information sources that I do neither monitor nor control. I explicitly disclaim any liabilities in respect to external references.
You are getting this document without any guarantees. Any methods shown above are meant as demonstration and may be wrong in some place. You may damage your system if you try to follow my hints and instructions. You do this at your own risk!

This file was last modified 18. Feb 2008 by root