Can you install a virus scanner? Clam Anti-Virus is successfully blocking all of the virus-infected messages coming from this list on my MTA.
-- Alex Yamauchi Access Innovations, Inc. e-mail: [EMAIL PROTECTED] phone: (505) 265-3591, ext. 144 fax: (505) 256-1080 > Hello, all - I found a way to bounce the virus-infected messages that > have been hitting this list over the past week from within Postfix. It > is actually a rather broad method - we're now blocking ALL messages > that include UPX-compressed executable files. > > After noticing that a lot of virus and worm programs were listed as > having been compressed with UPX, I searched GOOGLE in a vain attempt > to find out what "signature" was common to UPX executables. No one > listed one, so I resorted to using UPX on a variety of files and > comparing them. I came up with three REGEXPs to do the job, but only > the first two are really necessary. > > If you are taking advantage of Postfix's body expression filtering, > add to your list one or both of the following (the first being the > best, in my opinion, in light of the fact that Postfix only checks one > line at a time): > > /^TV......................AAAAAAAAHAAAAA.............J9x6ptYCMyAUFAI7YB...$/i > /^jsD986X8LoBsEhBz55KvrQ4O..................VQWCELAwMI....................$/i > > These match the first two lines of any UPX-compressed EXE file that > has been MIME encoded. The /i is important; it forces Postfix to check > in a CASE-SENSITIVE manner, to reduce false positives. You will, of > course, have to add your own prefered actions to the lines; I have > Postfix bounce the message with a "Possible infected binary rejected" > response. > > This has NOT been tested extensively - while the REGEXP matched 100% > of the UPX-compressed and 0% of the non-UPX-compressed files I tested, > I only tested a dozen, so your results might vary. It's already > bounced two messages from this list in the 24 hours I've had it > online. > > -- > Jeff Brenton > Vice President, > Engineered Software Products, Inc > http://espi.com > Questionable web page: http://dididahdahdidit.com > > Liberalism grants you the freedom to advocate any idea*. > * Please see http://www.dididahdahdidit.com/except.php for a > current list of exceptions > > _______________________________________________ > Dbmail mailing list > [email protected] > https://mailman.fastxs.nl/mailman/listinfo/dbmail >
