[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Regex to block Sobig



Steven Pritchard wrote:
> On Fri, Aug 22, 2003 at 11:49:32AM -0500, Marcelo Medici wrote:
> 
>>i am trying to filter, using procmail, the offending subjects created in
>>email by the sobig worm.

My postfix header_filters setup is also using this

/^Subject: (Re: (Details|Approved|Re: My details|That movie|Wicked 
screensaver|Your application)|Your details) *$/    REJECT Sorry, the 
subject of your message implies that you are the sobig.f virus.

for another couple of weeks.  Since midnight (it's only 10:50 AM now), 
that's rejected 1265 messages.  It blocked 1922 messages over the 2 days 
prior., and only 301 over the 3 days prior to those.  I wonder if 
sobig's getting to be a biogger problem or not... :(

> I have a better idea...  Block executable attachments.

[...snip...]

> And in /etc/postfix/virus, I have this:
> 
>   /^Content-Disposition: *attachment; *filename="?.*\.(lnk|com|exe|url|bat|vbs|cmd|pif|scr|wsh)"?$/	REJECT No executable attachments allowed here.
> 
>   /^\s*name="?.*\.(lnk|com|exe|url|bat|vbs|cmd|pif|scr|wsh)"?$/	REJECT No executable attachments allowed here.

Your list is a little short, isn't it?  This is what I use:

/^Content-(Type|Disposition):.*(file)?name=.*\.(asd|bat|chm|cmd|dll|exe|hlp|hta|jse|lnk|ocx|pif|scr|shb|shm|shs|vb|vbe|vbs|vbx|vxd|wsf|wsh)/ 
    REJECT Sorry, we do not accept .${3} file types.

I had to pull ".com" out of the list, because some of our mailers will 
"attach" a URL when emailing links around.  That's a stupid way of 
including a web site, but it's how Thunderbird does it if you just drag 
a link onto the window - and probably a few other mailiers.  I really 
like the ability to put parts of the match into the message, too, as 
that gives me 1) a way to keep track of which attachment types are 
getting blocked most often (that error goes into the syslog, too) and 2) 
it makes debugging easier when the mail server keeps rejecting messages 
with URLs attached. :)

As an aside, why the "\s*name=" line in Postfix's header checks?  I ask 
because "patterns are applied to entire logical message headers, even 
when a header spans multiple lines of text"... :)

--Danny


-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.