|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Security : WORM_HOLAR.H mass mailing gets past header_checks
From: Alex Kramarov (alex
incredimail.com)
Date: Mon Jun 02 2003 - 07:15:17 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
at may 29, a new mass mailing worm was "released" to the wild, i was not concerned with that untill it got past my mail server and into the user's mailboxes, despite the fact that no such virus has ever passed my header checks before.
i run postfix 2.0.6, and have
postconf |grep header
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = $header_checks
nested_header_checks = $header_checks
cat /etc/postfix/header_checks (on one line) :
/^Content-(Type|Disposition):.*(file)?name=.*\.(com|exe|lnk|bat|scr|chm|hlp|hta|reg|shs|vbe|vbs|wsf|wsh|pif)/ REJECT Email rejected, an attachment with .${3} extension detected.
from some reason, postfix doesn't catch the email sent by this worm - i have placed a sample of the email at http://mail.incredimail.com/worm_email.txt
is it something missing on my end, or postfix doesn't recognise this email's mime headers as mime headers ?
Thank you,
Alex.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]