Re: [Cooker] How can we stop the virus flooding

Mon, 25 Aug 2003 21:31:29 +0000

On Mon, Aug 25, 2003 at 09:40:28PM +0200, Keld Jørn Simonsen wrote:
How can you stop the virus flooding in cooker?

I would like to just stop all mail with some selected set of attachments like .pif and .exe - how is this doable, and is it
standard in the MTA?

Would be nice to announce 9.2 with the ability to just ignore virus like
this. 
this is easy to do:
(i assume you have postfix 2.0 or greater)

create the file /etc/postfix/header_checks containing one of these lines

/^Content-(Type|Disposition):.* (file)?name="?.*\.[A-Za-z0-9]+\.(asd|exe|bat|chm|com|cil|dll|hlp|hta|js|lnk|nws|ocx|pif|reg|scr|sh[bs]|vb|vb[se]|ws[cfh]|msi)"?/ REJECT

/^Content-(Type|Disposition):.* (file)?name="?.*\.(asd|exe|bat|chm|com|cil|dll|hlp|hta|js|lnk|nws|ocx|pif|reg|scr|sh[bs]|vb|vb[se]|ws[cfh]|msi)"?/ REJECT

the first blocks attachs with double extension ala readme.doc.pif
the second blocks exexutable attachments

then at the root prompt issue the command
postconf -e "header_checks = regexp:/etc/postfix/header_checks"

And the MTA should not snd any messages back when this is done, as the
sender most likely is not the real sender.


change the last word to read DISCARD, but in this case noone will know
unless you read your logs and advise those poor souls that actually sent
you a non-virus banned attachment.
If you leave REJECT it might or might not warn the sender depending on
the mta that was used for sending the mail.

Could the standard MTA be set up to do something reasonable defaults
in 9.2?

i believe the first is reasonable (double attach with discard), the
second is not that much reasonable.
putting DISCARD is EVIL, and should not be done.

if you really want to do virus filtering install amavisd-new and clamav
from contrib. amavisd will actually check for a virus and does not reply
to worms.

what should be done for the distro (a bit late for 9.2, but mandrakesoft
should think about next release) is adding a decent program (i'd call it
mailerdrake) to mcc that is used to configure postfix, amavisd,
spamassassin, cyrus (or courier, or dovecot).

regards,
L.

--
Luca Berra -- [EMAIL PROTECTED]
       Communication Media & Services S.r.l.
/"\
\ /     ASCII RIBBON CAMPAIGN
 X        AGAINST HTML MAIL
/ \

Reply via email to