From: Jason Williard (jwilliardpcsafe.com)
Date: Mon May 02 2005 - 16:31:37 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thank you everyone. Switching from body_checks to mime_header_checks did
the trick.

As for Jay's 3rd question, these are viruses (W32.Sober.Omm). I'm sure
that many administrators have seen this one today. If anyone is curious,
here's a link to Symantec's information on this:

http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.omm.html

---
Thank You
Jason Williard
Systems Administrator
PCSafe, Inc.
 
 

-----Original Message-----
From: owner-postfix-userspostfix.org
[mailto:owner-postfix-userspostfix.org] On Behalf Of Jay Maynard
Sent: Monday, May 02, 2005 2:22 PM
To: postfix-userspostfix.org
Subject: Re: body_checks

On Mon, May 02, 2005 at 02:14:09PM -0700, Jason Williard wrote:
> Today all mail users on one of my systems started receiving a large number
> of emails with attachments with names that end in (secret.zip, info.zip &
> text.zip). I've been trying to find a way to drop these mails quickly.
The
> solution that I came up with was enabling body_checks. However, the way I
> have it set up does not appear to be working. I am hoping someone can
catch
> what I am doing wrong here.
>
> ## main.cf
> body_checks = regexp:/etc/postfix/body_checks
> body_checks = pcre:/etc/postfix/body_checks
>
>
> ## body_checks
> /(filename|name)="?.*info\.zip.*"?/ DISCARD
> /(filename|name)="?.*text\.zip.*"?/ DISCARD
> /(filename|name)="?.*secret\.zip.*"?/ DISCARD
>
> After editing body_checks, I run "postmap body_checks".
>
> Is there anything that I am missing or doing wrong here?

1) You want mime_header_checks, not body_checks.
2) You don't need to postmap a regexp table, like the one you're using.
3) Are these viruses or spam? If they're viruses, you want to discard; if
they're spam, you want to reject.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]