From: Alan (alanufies.org)
Date: Thu Mar 04 2004 - 12:21:00 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > Is there a way to block the new bagle (Win32/Bagle.Emm IIRC) virus
[snip]
> You haven't given any info about anything about you, your experience,
> site policy or your system. So, the short answer is: "Definitely". I do
> it with header_checks, mime_header_checks and site policy. Others would
> do it other ways.

Sorry about that. I've used postfix for a couple of years for a site
with 5-10 virtual domains with probably 130 total users across all
domains. It's just a personal/friends site, with no real "site policy",
though i do block some things globally by body_checks (exe files, sobig,
swen, mydoom, and a couple of others).

I don't do global spam filtering because I don't want to be losing
anyone's legit email, but because this one is crafty enough to get my
users coming crying to me, it's affecting me directly enough to want to
take action.

I don't have any commercial AV software as I don't have the financial
resources to spend lots (defined generally as > $0 :) on commercial AV
stuff. The box is a fully updated gentoo linux x86 system.

> For other list subscribers on this subject, from the dshield (SANS/ISC)
> mailing list, something maybe of interest attached, if your AV partner
> isn't completely up to date. These things are appearing at the rate of
> knots.

Many thanks, I'll see if this helps.

> If your MTA can block based on patterns in the message body, it should
> be possible to block this one at the email gateway. I'm using postfix,
> and it's done like this
>
> main.cf:
> body_checks = regexp:/etc/postfix/body_checks
>
> body_checks:
> /UEsDBAoAAQAAA/ HOLD

Alan

--
Alan <alanufies.org> - http://arcterex.net
--------------------------------------------------------------------
"There are only 3 real sports: bull-fighting, car racing and mountain
climbing. All the others are mere games." -- Hemingway

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]