OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Filtering .vbs attachments? (Was: Re: Changed subject (was Re: reg. virus named ...)
From: Ari Gordon-Schlosberg (regsnebcorp.com)
Date: Fri May 05 2000 - 18:25:51 CDT

[Stefan Seufert <seufccsw.de>]
> > > Did we decide that there is no way to filter any email with a .vbs
> > > attachment? or this specific attachment?
> >
> > Postfix currently includes no provisions whatsoever for scrutinizing
> > the body of a message.
> >
> > Lars Hecking posted a note on April 20, with the subject "Postfix
> > and virus checking - solution", that describes how to approach the
> > problem; you run two Postfixes, the one with the smtp listener does
> > all delivery through a pipe transport that runs the checks, and
> > passes the results on to the other postfix via /usr/lib/sendmail.
>
> Since we most probaly will be faced with problems like ILOVEYOU or Melissa even
> more in the future it might be worth thinking about a "real" solution, not an
> hack. The solution Lars presented it really fine, I like it, but involves a
> somewhat complex setup and running two instances of postfix which makes
> tracking down errors much harder. A hook like the header_checks, call it
> body_checks would be really nice for quick responses to this sort of problem.
> Once you discover such a nasty worm you can quickly add a line to your
> file/db/whatever and lean back while investigating the problem. For invoking a
> real virus scanner another hook which will excute a program and decide by the
> return value what will happen to the mail might be useful, too. Of course, some

This is a good idea, and to go back to what what Simon talked about
earlier, it would be good to be able to pass this through a triage
function. i.e. don't send everything out for virus scanning. Emails that
contain zero attachments or attachments of a type deemed to not pose an
infection threat can pass right through, while anything of a potentially
threatening type would be checked.

> members of this list wich rnning very large list or high volume site might not
> be able to use this solution because it would knock out their machines, but
> there are many other people running much smaller sites which will like this
> feature. The main problem in my eyes is that we need someone to implement it
> ( This is most probably not a question of programming skills but of free time.

Lists are not the issues, as while there are many recepients, there's only
one message, and it only needs to get checked once. 

-- 
Ari							there is no spoon
-------------------------------------------------------------------------
http://www.nebcorp.com/~regs/pgp for PGP public key