There's a new worm hammering networks via email, via open shares,
and via vulnerable web servers.

Propagation via email can be stopped with:

    /etc/postfix/main.cf:
        body_checks = regexp:/etc/postfix/body_checks

    /etc/postfix/body_checks:
        /^[SPACE TAB]*name=.*\.exe/ REJECT

Inside the [] are one space and one tab.

This is also a reminder that Postfix needs decent MIME parsing
support so it can filter this sort of malware more effectively.

        Wietse

The worm's MIME headers, with spaces inserted to avoid false alarms.

- - = = = = _ A B C 1 2 3 4 5 6 7 8 9 0 D E F _ = = = =
C o n t e n t - T y p e : m u l t i p a r t / a l t e r n a t i v e ;
                b o u n d a r y = " = = = = _ A B C 0 9 8 7 6 5 4 3 2 1 D E F _ = = = = "
  
- - = = = = _ A B C 0 9 8 7 6 5 4 3 2 1 D E F _ = = = =
C o n t e n t - T y p e : t e x t / h t m l ;
                c h a r s e t = " i s o - 8 8 5 9 - 1 "
C o n t e n t - T r a n s f e r - E n c o d i n g : q u o t e d - p r i n t a b l e
  
< H T M L > < H E A D > < / H E A D > < B O D Y b g C o l o r = 3 D # f f f f f f >
< i f r a m e s r c = 3 D c i d : E A 4 D M G B P 9 p h e i g h t = 3 D 0 w i d t h = 3 D 0 >
< / i f r a m e > < / B O D Y > < / H T M L >
- - = = = = _ A B C 0 9 8 7 6 5 4 3 2 1 D E F _ = = = = - -
  
- - = = = = _ A B C 1 2 3 4 5 6 7 8 9 0 D E F _ = = = =
C o n t e n t - T y p e : a u d i o / x - w a v ;
                n a m e = " r e a d m e . e x e "
C o n t e n t - T r a n s f e r - E n c o d i n g : b a s e 6 4
C o n t e n t - I D : < E A 4 D M G B P 9 p >

-
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]