NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2003-08

Re: body_checks and sobig

From: Andreas Meyer (anmeyeranup.de)
Date: Tue Aug 19 2003 - 17:12:16 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ben Rosengart <br+postfixpanix.com> schrieb:

> On Tue, Aug 19, 2003 at 04:06:02PM -0400, Wietse Venema wrote:
> > Here's a body_checks rule that stops today's SOBIG virus outburst.
> > I use this with Postfix 2.0 which only body_checks the first 50kbytes
> > of each attachment.
>
> For some reason, this is not working for me.
>
> mail3# chroot /var/panix-chroot postconf body_checks
> body_checks = regexp:/etc/postfix/body_checks
> mail3# ls -l /var/panix-chroot/etc/postfix/body_checks -rw-r--r-- 1 root wheel 112 Aug 19 16:51 /var/panix-chroot/etc/postfix/body_checks
> mail3# cat /var/panix-chroot/etc/postfix/body_checks
> /^TVqQAAMAAAAEAAAA\/\/8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> $/ REJECT sobig virus detected
>
> But a test copy of the virus -- which contains that pattern,
> verified with grep -- makes it through my Postfix installation.
> Any ideas?

how does your test copy look like?

Aug 20 00:07:27 heaven7 postfix/pickup[4925]: 4170681A1: uid=0 from=<root>
Aug 20 00:07:27 heaven7 postfix/cleanup[5239]: 4170681A1: message-id=<20030819220727.4170681A1heaven7.meyer.home>
Aug 20 00:07:27 heaven7 postfix/cleanup[5239]: 4170681A1: reject: body TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; from=<rootmeyer.home> to=<andreasmeyer.home>: keep your viruses.
Aug 20 00:07:27 heaven7 postfix/cleanup[5239]: 4170681A1: to=<andreasmeyer.home>, relay=cleanup, delay=0, status=bounced (keep your viruses.)Aug 20 00:07:27 heaven7 postfix/cleanup[5249]: 8567281A3: message-id=<20030819220727.8567281A3heaven7.meyer.home>
Aug 20 00:07:27 heaven7 postfix/nqmgr[4926]: 8567281A3: from=<>, size=1911, nrcpt=1 (queue active)
Aug 20 00:07:27 heaven7 postfix/smtp[5241]: setting up TLS connection to delta.meyer.home
Aug 20 00:07:27 heaven7 postfix/cleanup[5249]: A91F881A4: message-id=<20030819220727.A91F881A4heaven7.meyer.home>
Aug 20 00:07:27 heaven7 postfix/nqmgr[4926]: A91F881A4: from=<double-bounceheaven7.meyer.home>, size=1469, nrcpt=1 (queue active)
Aug 20 00:07:28 heaven7 postfix/smtp[5251]: setting up TLS connection to delta.meyer.home
Aug 20 00:07:28 heaven7 postfix/smtp[5241]: Verified: subject_CN=delta.meyer.home, issuer=Andreas Meyer
Aug 20 00:07:28 heaven7 postfix/smtp[5241]: TLS connection established to delta.meyer.home: TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)
Aug 20 00:07:29 heaven7 postfix/smtp[5251]: Verified: subject_CN=delta.meyer.home, issuer=Andreas Meyer
Aug 20 00:07:29 heaven7 postfix/smtp[5251]: TLS connection established to delta.meyer.home: TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)
Aug 20 00:07:29 heaven7 postfix/smtp[5251]: A91F881A4: to=<postmastermeyer.home>, relay=delta.meyer.home[192.168.1.75], delay=2, status=sent
(250 Ok: queued as 5C32417D43)
Aug 20 00:07:33 heaven7 postfix/smtp[5241]: 8567281A3: to=<rootmeyer.home>, relay=delta.meyer.home[192.168.1.75], delay=6, status=bounced (host delta.meyer.home[192.168.1.75] said: 550 Error: keep that stuff.)
Aug 20 00:07:33 heaven7 postfix/cleanup[5239]: 9944F81A0: message-id=<20030819220733.9944F81A0heaven7.meyer.home>
Aug 20 00:07:33 heaven7 postfix/nqmgr[4926]: 9944F81A0: from=<double-bounceheaven7.meyer.home>, size=3188, nrcpt=1 (queue active)
Aug 20 00:07:33 heaven7 postfix/smtp[5251]: setting up TLS connection to delta.meyer.home
Aug 20 00:07:34 heaven7 postfix/smtp[5251]: Verified: subject_CN=delta.meyer.home, issuer=Andreas Meyer
Aug 20 00:07:34 heaven7 postfix/smtp[5251]: TLS connection established to delta.meyer.home: TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)
Aug 20 00:07:39 heaven7 postfix/smtp[5251]: 9944F81A0: to=<postmastermeyer.home>, relay=delta.meyer.home[192.168.1.75], delay=6, status=bounced (host delta.meyer.home[192.168.1.75] said: 550 Error: keep that stuff.)
Aug 20 00:07:39 heaven7 postfix/bounce[5247]: warning: 9944F81A0: undeliverable postmaster notification discarded

What makes me nervous is the last line with "undeliverable postmaster notification discarded".

--
Andreas Meyer | http://www.anup.de
| http://home.wtal.de/MeineHomepage

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]