Re: [Cooker] How can we stop the virus flooding
Buchan Milne wrote: But, it would probably be useful to have header_checks = regexp:/etc/postfix/header_checks enabled in the default postfix config, users who don't use it won't see the difference, and users who do will want it. no time to check, but i think the file should be there, or posfix will give error. It might also be an idea to supply good sample header_checks (ie header_checks_windows_executables or something). yes, that could be a good idea. Also, how about including a transport in master.cf for amavisd-new, then %post of amavisd-new could postconf itself as a content_filter, and it would work out-the-box. with amavis we should also split the cleanup service in two entries and create the backdoor smtp server, and i don't think those belong in the default config. (unless we decide to ship antivirus/antispam in the default config, wich at this particular time could prove a good marketing move for mandrake). regards, L.
Re: [Cooker] How can we stop the virus flooding
On Monday 25 August 2003 05:50 pm, Guillaume Rousse wrote: Ainsi parlait Luca Berra : what should be done for the distro (a bit late for 9.2, but mandrakesoft should think about next release) is adding a decent program (i'd call it mailerdrake) to mcc that is used to configure postfix, amavisd, spamassassin, cyrus (or courier, or dovecot). Is this really a good idea to add wizards, gui and other newbies-oriented assistant for software as mail servers, DNS, and other real stuff that have an impact on other computer users ? I don't mind if Joe User setup a web server through such a click-o-magic without ever reading a manual, howto or anything related to network computing, cause if he's wrong he will only trash his computer. But i don't want to get spammed just because the same Joe User decided he could play with a new toy he found in mcc and setup an open-relay SMTP... Shouldn't be THAT big a deal to at least default so that it isn't an open relay. Most newbees won't change EVERYTHING all at once - they'll experiment by changing a few things to get set up. So make the default that it DOESN'T start unless enabled.. and if it IS enabled, it isn't an open relay. In the mean time, a properly written wizard might help a newbee learn what the settings mean and help him get features up and running that aren't available in windoze. V.
Re: [Cooker] How can we stop the virus flooding
Am Montag, 25. August 2003 22:20 schrieb Buchan Milne: Keld Jørn Simonsen wrote: How can you stop the virus flooding in cooker? I would like to just stop all mail with some selected set of attachments like .pif and .exe - how is this doable, and is it standard in the MTA? With header checks enabled in postfix (ie header_checks = regexp:/etc/postfix/header_checks in main.cf), something like this in the header checks file (in this case /etc/postfix/header_checks) should work (minimally tested, we had something similar in production, but this was fished off /. today): /^Content-(Type|Disposition):.*(file)?name=.*\.(asd|bat|chm|cmd|dll|exe|hlp |hta|jse|lnk|ocx|pif|scr|shb|shm|shs|vb|vbe|vbs|vbx|vxd|wsf|wsh)/REJECT Sorry, we do not accept .${3} file types. (all on one line) With postfix this is not header_checks but mime_header_checks. Would be nice to announce 9.2 with the ability to just ignore virus like this. And the MTA should not snd any messages back when this is done, as the sender most likely is not the real sender. This just gives an SMTP error message, which may result in the sending SMTP client to return the mail. But it's not good practise to return a good return code when not delivering mail, our users will ask why they send mail and it never arrives ... And please, no mail to the root on the current mail system. I had a system with 500 MB for /var but it was filled up in less than a day with error messages on sobit.f to root. You should alias root to a real user, since postfix refuses to use procmail when delivering as root, and the default procmail setup will reject mail once 50MB is reached on the mail spool. Btw: why does mandrake use procmail for local delivery. Most users don't use procmail (it is much to difficult to set up) and those who want to, can use the .forward file. There is no need to start a second program to deliver. Could the standard MTA be set up to do something reasonable defaults in 9.2? IMHO, intrusive defaults (like a default header check) should only be done if there is a config tool which can modify them. And, like the chroot stuff, there are many users who will be lost, if they do a little change and nothing is working any more. And the body_* and header_ check stuff can not be bypassed. Regards, Buchan (waiting for drakmailserver) Martin -- H E L I X Gesellschaft für Software Engineering mbH Hanauer Landstrasse 52 Telefon (069) 4789 35-30 D-60314 Frankfurt am Main Telefax (069) 4789 35-44 http://www.helix-gmbh.net[EMAIL PROTECTED] pgp0.pgp Description: signature
Re: [Cooker] How can we stop the virus flooding
On Wed, Aug 27, 2003 at 07:26:40AM +0200, Martin Fahrendorf wrote: Am Montag, 25. August 2003 22:20 schrieb Buchan Milne: /^Content-(Type|Disposition):.*(file)?name=.*\.(asd|bat|chm|cmd|dll|exe|hlp |hta|jse|lnk|ocx|pif|scr|shb|shm|shs|vb|vbe|vbs|vbx|vxd|wsf|wsh)/REJECT Sorry, we do not accept .${3} file types. (all on one line) With postfix this is not header_checks but mime_header_checks. mime_header_checks defaults to $header_checks in postfix 2.0 and i still think is useful to have all those checks in one place. You should alias root to a real user, since postfix refuses to use procmail when delivering as root, and the default procmail setup will reject mail once 50MB is reached on the mail spool. Btw: why does mandrake use procmail for local delivery. Most users don't use procmail (it is much to difficult to set up) and those who want to, can use the .forward file. There is no need to start a second program to deliver. seconded, postfix local works well without that, probably better for Maildirs. And we could put a postconf command to enable/disable procmail in post/postun scripts in procmail rpm. We could also fix master.cf not to use the cyrus deliver program (which is just a wrapper around lmtp) since both postfix and cyrus speak lmtp natively. And, like the chroot stuff, there are many users who will be lost, if they do a little change and nothing is working any more. And the body_* and header_ dunno 'bout the chroot: it is well documented and if users do changes when they have no clue they will get it wrong with or without chroot. check stuff can not be bypassed. what do you mean 'can not be bypassed', postconf is your friend. regards, L. -- Luca Berra -- [EMAIL PROTECTED] Communication Media Services S.r.l. /\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \
Re: [Cooker] How can we stop the virus flooding
Am Mittwoch, 27. August 2003 08:09 schrieb Luca Berra: On Wed, Aug 27, 2003 at 07:26:40AM +0200, Martin Fahrendorf wrote: Am Montag, 25. August 2003 22:20 schrieb Buchan Milne: /^Content-(Type|Disposition):.*(file)?name=.*\.(asd|bat|chm|cmd|dll|exe| hlp |hta|jse|lnk|ocx|pif|scr|shb|shm|shs|vb|vbe|vbs|vbx|vxd|wsf|wsh)/REJECT Sorry, we do not accept .${3} file types. (all on one line) With postfix this is not header_checks but mime_header_checks. mime_header_checks defaults to $header_checks in postfix 2.0 and i still think is useful to have all those checks in one place. jep, that's right. I have header and mime_header in different files. ... And, like the chroot stuff, there are many users who will be lost, if they do a little change and nothing is working any more. And the body_* and header_ dunno 'bout the chroot: it is well documented and if users do changes when they have no clue they will get it wrong with or without chroot. Jeah, it is well documentated; but how many people do you know reading docimentations? They claim that this and that is not self-explaining and are lamment about the missing function (I read the postfix mailinglist since about four years and it is full of this and that does not work -- the answer often ist: disable chroot). I can handle the chroot stuff very well, but I know (almost) how it works. check stuff can not be bypassed. what do you mean 'can not be bypassed', postconf is your friend. you can not define a user x for which postfix does not use the check_* stuff. You can enable it for every user or not. That do i mean with bypass. regards, L. Martin -- H E L I X Gesellschaft für Software Engineering mbH Hanauer Landstrasse 52 Telefon (069) 4789 35-30 D-60314 Frankfurt am Main Telefax (069) 4789 35-44 http://www.helix-gmbh.net[EMAIL PROTECTED] pgp0.pgp Description: signature
Re: [Cooker] How can we stop the virus flooding
On Wed, Aug 27, 2003 at 09:29:20AM +0200, Martin Fahrendorf wrote: check stuff can not be bypassed. what do you mean 'can not be bypassed', postconf is your friend. you can not define a user x for which postfix does not use the check_* stuff. You can enable it for every user or not. That do i mean with bypass. well, you culd probably with if constructs, but i believe this things are better done with amavisd-new that supports per user sql-based or ldap-based rules. regards, L. -- Luca Berra -- [EMAIL PROTECTED] Communication Media Services S.r.l. /\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \
Re: [Cooker] How can we stop the virus flooding
Am Mittwoch, 27. August 2003 10:00 schrieb Luca Berra: On Wed, Aug 27, 2003 at 09:29:20AM +0200, Martin Fahrendorf wrote: check stuff can not be bypassed. what do you mean 'can not be bypassed', postconf is your friend. you can not define a user x for which postfix does not use the check_* stuff. You can enable it for every user or not. That do i mean with bypass. well, you culd probably with if constructs, No, you cannot. but i believe this things are better done with amavisd-new that supports per user sql-based or ldap-based rules. Amavisd-new with the current stable postfix does not support reject at postfix-level. In the test release there is a proxy system which holds the connection open until the mail is delivered. So a amavisd-new recection is passed back to postfix and postfix rejects the mail too. regards, L. Martin -- H E L I X Gesellschaft für Software Engineering mbH Hanauer Landstrasse 52 Telefon (069) 4789 35-30 D-60314 Frankfurt am Main Telefax (069) 4789 35-44 http://www.helix-gmbh.net[EMAIL PROTECTED] pgp0.pgp Description: signature
Re: [Cooker] How can we stop the virus flooding
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Luca Berra wrote: On Wed, Aug 27, 2003 at 07:26:40AM +0200, Martin Fahrendorf wrote: Am Montag, 25. August 2003 22:20 schrieb Buchan Milne: /^Content-(Type|Disposition):.*(file)?name=.*\.(asd|bat|chm|cmd|dll|exe|hlp |hta|jse|lnk|ocx|pif|scr|shb|shm|shs|vb|vbe|vbs|vbx|vxd|wsf|wsh)/REJECT Sorry, we do not accept .${3} file types. (all on one line) With postfix this is not header_checks but mime_header_checks. mime_header_checks defaults to $header_checks in postfix 2.0 and i still think is useful to have all those checks in one place. But, it would probably be useful to have header_checks = regexp:/etc/postfix/header_checks enabled in the default postfix config, users who don't use it won't see the difference, and users who do will want it. It might also be an idea to supply good sample header_checks (ie header_checks_windows_executables or something). You should alias root to a real user, since postfix refuses to use procmail when delivering as root, and the default procmail setup will reject mail once 50MB is reached on the mail spool. Btw: why does mandrake use procmail for local delivery. Most users don't use procmail (it is much to difficult to set up) and those who want to, can use the .forward file. There is no need to start a second program to deliver. seconded, postfix local works well without that, probably better for Maildirs. And we could put a postconf command to enable/disable procmail in post/postun scripts in procmail rpm. We could also fix master.cf not to use the cyrus deliver program (which is just a wrapper around lmtp) since both postfix and cyrus speak lmtp natively. Agreed, or if gc doesn't want to mess with the postfix config for packages in contrib, at least remove the cyrus transport. Also, how about including a transport in master.cf for amavisd-new, then %post of amavisd-new could postconf itself as a content_filter, and it would work out-the-box. Regards, Buchan - -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/TIx5rJK6UGDSBKcRAsOwAJwLrGpz0/b2XQ/NimJHmKiviCF6FACggOdm 9xvX3hP4bCAIOT6x8+hW6W4= =wnHr -END PGP SIGNATURE- * Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. *
Re: [Cooker] How can we stop the virus flooding
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Keld Jørn Simonsen wrote: On Mon, Aug 25, 2003 at 11:29:10PM +0200, Buchan Milne wrote: Yes, I just got 500 emails today with the sobits.f virus, on a normal client system, just for me, and then another 500 messages for me telling me that I have sent viruses to them, or email lists that I administer have sent email viruses to them. And I have to investigate much of this because I am moderating a number of lists and furthermore I pretend to be on holidays... :-( I would like if I could at least prevent the stupid messages that I have sent viruses, when this is forged. These are commercial, proprietary, expensive anti-virus filters, which do bad things by default (I am not sure if they can be configured any better). amavis-ng/amavisd-new for example does the right thing, never replying to the sender of an infected mail. And I am not the only one in this mess. It is frontpage news on every newspaper here in Denmark. They say that about 1 out of 3 emails are sobit.f on a number of big installations here. Wuld be nice if my POP3 connection could filter it away. Would also improve my bandwidth. So I am mostly looking for a solution for POP3 kind of users - then novice users that Mandrake usually make their defaults for. How can I filter it for POP3 (I use it via fetchmail)? Ideally before you run fetchmail, there are some pre-downloading POP3 deleters (savemymodem?), but I haven't used them. Regards, Buchan - -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/SpR2rJK6UGDSBKcRAkVqAJwO6765hGgkP6SmGAfesyVc/Ap1VgCgnr0c Pr5at/hHywHzoKQkv6xXB+E= =Mq0S -END PGP SIGNATURE- * Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. *
Re: [Cooker] How can we stop the virus flooding
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Guillaume Rousse wrote: Ainsi parlait Luca Berra : what should be done for the distro (a bit late for 9.2, but mandrakesoft should think about next release) is adding a decent program (i'd call it mailerdrake) to mcc that is used to configure postfix, amavisd, spamassassin, cyrus (or courier, or dovecot). Is this really a good idea to add wizards, gui and other newbies-oriented assistant for software as mail servers, DNS, and other real stuff that have an impact on other computer users ? I don't mind if Joe User setup a web server through such a click-o-magic without ever reading a manual, howto or anything related to network computing, cause if he's wrong he will only trash his computer. But i don't want to get spammed just because the same Joe User decided he could play with a new toy he found in mcc and setup an open-relay SMTP... Hmm, better to leave him to hack on main.cf without knowing anything, and deciding to set mynetworks = 0.0.0.0/32 because it's easier? No, good config tools make it easy to do the right thing, instead of editing config files where it's easy to do anything (right or wrong). The point of the tool would be to prevent a user making an open-relay by cluelessness. Regards, Buchan - -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/SpXMrJK6UGDSBKcRAkpKAJ4lzMgVreZpVoGphaLovAXA53ynaACdHlps Cz+XAHIDX19JEiPlcNP5LXE= =B6W3 -END PGP SIGNATURE- * Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. *
Re: [Cooker] How can we stop the virus flooding
On Mon Aug 25 23:50 +0200, Guillaume Rousse wrote: I don't mind if Joe User setup a web server through such a click-o-magic without ever reading a manual, howto or anything related to network computing, cause if he's wrong he will only trash his computer. But i don't want to get spammed just because the same Joe User decided he could play with a new toy he found in mcc and setup an open-relay SMTP... Don't include an option to allow it to open relay in mcc. -- Levi Ramsey [EMAIL PROTECTED] [EMAIL PROTECTED] Take due notice and govern yourselves accordingly. Currently playing: Rush - Vapor Trails - Sweet Miracle Linux 2.4.21-3mdk 18:48:00 up 21 days, 4:06, 10 users, load average: 0.29, 0.13, 0.10
Re: [Cooker] How can we stop the virus flooding
Ainsi parlait Buchan Milne : Guillaume Rousse wrote: Ainsi parlait Luca Berra : what should be done for the distro (a bit late for 9.2, but mandrakesoft should think about next release) is adding a decent program (i'd call it mailerdrake) to mcc that is used to configure postfix, amavisd, spamassassin, cyrus (or courier, or dovecot). Is this really a good idea to add wizards, gui and other newbies-oriented assistant for software as mail servers, DNS, and other real stuff that have an impact on other computer users ? I don't mind if Joe User setup a web server through such a click-o-magic without ever reading a manual, howto or anything related to network computing, cause if he's wrong he will only trash his computer. But i don't want to get spammed just because the same Joe User decided he could play with a new toy he found in mcc and setup an open-relay SMTP... Hmm, better to leave him to hack on main.cf without knowing anything, and deciding to set mynetworks = 0.0.0.0/32 because it's easier? I think this is not exactly the same situation. He has to download the package first, find the configuration file, then edit him. Three steps that you don't have with oh, look at this new bright icon in the shiny mdk center. Moreover, i was just speaking about people not realizing what they were doing, not people volontarily doing something wrong. When you face a long config files, with a lots of complex options you don't understand, you got far better chances to realize you're putting your feet in dangereous ground thant when facing three cool icons in a some wizard. No, good config tools make it easy to do the right thing, instead of editing config files where it's easy to do anything (right or wrong). I don't think wizards, such as the one included in mcc, have any educational value. I'm not speaking about graphical configuration tools in general, but specificaly for applications targeted to beginners. They tend to confort people in assisted position, rather than to lead them to autonomy. The point of the tool would be to prevent a user making an open-relay by cluelessness. Better provide user-friendly documentation to the beginner, explaining him: 1) he doesn't need such server, unless he know why 2) there are some concepts he has to understand first What you are proposing here is to distribute guns to everyone, arguing that the security is set. -- Guillaume Rousse If it moves, salute it; if it doesn't move, pick it up; if you can't pick it up, paint it -- Murphy's Military Laws n°4
Re: [Cooker] How can we stop the virus flooding
Ainsi parlait Keld Jørn Simonsen : On Mon, Aug 25, 2003 at 10:13:18PM +0200, Guillaume Rousse wrote: Ainsi parlait Keld Jørn Simonsen : How can you stop the virus flooding in cooker? And the MTA should not send any messages back when this is done, as the sender most likely is not the real sender. the REJECT directive here just send the mail back to the real sender during the STMP transaction, which is the virus here. Hmm, has the virus implemented its own MTA? I know too little on the implementation on current sobit.f . All current worms/virus do it, to ensure the mail is properly sent. Otherwise, the mail gateway could reject the mail as the faked sender doesn't belong to the domain. -- Guillaume Rousse The enemy never monitors your radio frequency until you broadcast on an unsecured channel -- Murphy's Military Laws n°81
Re: [Cooker] How can we stop the virus flooding
On Mon, Aug 25, 2003 at 11:50:43PM +0200, Guillaume Rousse wrote: Ainsi parlait Luca Berra : what should be done for the distro (a bit late for 9.2, but mandrakesoft should think about next release) is adding a decent program (i'd call it mailerdrake) to mcc that is used to configure postfix, amavisd, spamassassin, cyrus (or courier, or dovecot). Is this really a good idea to add wizards, gui and other newbies-oriented assistant for software as mail servers, DNS, and other real stuff that have an impact on other computer users ? Well, it depends on what the tools allows the luser to do. I don't think it is possible to build a working setup for everyone, but a tool that can create a working setup based on user input would help a lot. If we don't provide an easy way to set it up the luser is just going to google for a badly written HOWTO and will follow it blindly creating a mess anyway. If the tool makes easy to configure SMTP auth we would have less open relays around. Then if the user asks for antivirus or antispam the tool could seamlessly add amavisd/clamav/spamassassin Then if we have cyrus and maybe our user database is in ldap a tool that would allow me to configure a user, both as a system user and as a mailbox, with aliases in one single place would be welcome by most experienced admins. Doing this without tools at the moment is only a PITA. And m$ exchange admins would be right if they were laughing at us. And if the tool is well designed the user should find it very difficult to create an open relay. regards, L. -- Luca Berra -- [EMAIL PROTECTED] Communication Media Services S.r.l. /\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \
Re: [Cooker] How can we stop the virus flooding
On Tue, 26 Aug 2003 03:40, Keld Jørn Simonsen wrote: And please, no mail to the root on the current mail system. I had a system with 500 MB for /var but it was filled up in less than a day with error messages on sobit.f to root. One university in the 'states fielded 80GB of viruses in student email in one day. Makes one wonder what the traffic for the entire uni was. Cheers; Leon
RE: [Cooker] How can we stop the virus flooding
On Mon, Aug 25, 2003 at 11:50:43PM +0200, Guillaume Rousse wrote: Ainsi parlait Luca Berra : what should be done for the distro (a bit late for 9.2, but mandrakesoft should think about next release) is adding a decent program (i'd call it mailerdrake) to mcc that is used to configure postfix, amavisd, spamassassin, cyrus (or courier, or dovecot). Is this really a good idea to add wizards, gui and other newbies-oriented assistant for software as mail servers, DNS, and other real stuff that have an impact on other computer users ? Well, it depends on what the tools allows the luser to do. I don't think it is possible to build a working setup for everyone, but a tool that can create a working setup based on user input would help a lot. If we don't provide an easy way to set it up the luser is just going to google for a badly written HOWTO and will follow it blindly creating a mess anyway. If the tool makes easy to configure SMTP auth we would have less open relays around. Then if the user asks for antivirus or antispam the tool could seamlessly add amavisd/clamav/spamassassin Then if we have cyrus and maybe our user database is in ldap a tool that would allow me to configure a user, both as a system user and as a mailbox, with aliases in one single place would be welcome by most experienced admins. Doing this without tools at the moment is only a PITA. And m$ exchange admins would be right if they were laughing at us. And if the tool is well designed the user should find it very difficult to create an open relay. I think this tool would be great. It would be nice if it worked with libconf. This is something I would use, but I don't like it if all my settings made by hand is lost. This is one of the big issues I have with MNF at this stage. Jan
Re: [Cooker] How can we stop the virus flooding
Le Monday 25 August 2003 23:29, Buchan Milne a écrit : WARNING: Unsanitized content follows. Guillaume Rousse wrote: And the MTA should not snd any messages back when this is done, as the sender most likely is not the real sender. the REJECT directive here just send the mail back to the real sender during the STMP transaction, which is the virus here. Only when the client is sobig.f itself, if the client is another SMTP server's client daemon, the user listed in From will get a message from the client daemon :-(. False (not true). When the mail is reject, the MTA doesn't send back the mail. It's the other MTA to implement an action to send back the mail to the return-path. And sobig-f cannot do that itself (he has is own minimalist MTA) So, using reject doesn't send a mailer daemon in this case. (if youuse a two stage MX, you'll have to drop the mail on the first MX.) But you will find *a lot* of filter/antivirus/etc who will detect the virus, and send back to the return-path, a notice. and *this* is annoying. Emmanuel
Re: [Cooker] How can we stop the virus flooding
MM, It's not only in Denmark a prob. I am overwhelmed by Myleen-virus (Belgium).All my friends, even my boss, receive infected mails from me. If I look at the send mails, the text writen in them was writen sometimes two years ago. My e-mail adress is changed. Anyway, I suppose the virus is on the server of my ISP, working from there. Also my McAfee-secured () Hotmail-account was infected. I took precaution and made in my e-mailclient (I use Evolution under Gnome)a user AAAOOO without e-mailadress. Thus far, my PC did not sent any messages (although this is crazy, it is Linux, not Windows). I tried , as you see, everything, as I am bored with viruses too. I use firestarter as firewall, as I do not succeed to make Shorewall work. It's all or nothing with that one. Firestarter however does a nice job... Blessings, Toran
[Cooker] How can we stop the virus flooding
How can you stop the virus flooding in cooker? I would like to just stop all mail with some selected set of attachments like .pif and .exe - how is this doable, and is it standard in the MTA? Would be nice to announce 9.2 with the ability to just ignore virus like this. And the MTA should not snd any messages back when this is done, as the sender most likely is not the real sender. And please, no mail to the root on the current mail system. I had a system with 500 MB for /var but it was filled up in less than a day with error messages on sobit.f to root. Could the standard MTA be set up to do something reasonable defaults in 9.2? Best regards keld
Re: [Cooker] How can we stop the virus flooding
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Keld Jørn Simonsen wrote: How can you stop the virus flooding in cooker? I would like to just stop all mail with some selected set of attachments like .pif and .exe - how is this doable, and is it standard in the MTA? With header checks enabled in postfix (ie header_checks = regexp:/etc/postfix/header_checks in main.cf), something like this in the header checks file (in this case /etc/postfix/header_checks) should work (minimally tested, we had something similar in production, but this was fished off /. today): /^Content-(Type|Disposition):.*(file)?name=.*\.(asd|bat|chm|cmd|dll|exe|hlp|hta|jse|lnk|ocx|pif|scr|shb|shm|shs|vb|vbe|vbs|vbx|vxd|wsf|wsh)/REJECT Sorry, we do not accept .${3} file types. (all on one line) Would be nice to announce 9.2 with the ability to just ignore virus like this. And the MTA should not snd any messages back when this is done, as the sender most likely is not the real sender. This just gives an SMTP error message, which may result in the sending SMTP client to return the mail. But it's not good practise to return a good return code when not delivering mail, our users will ask why they send mail and it never arrives ... And please, no mail to the root on the current mail system. I had a system with 500 MB for /var but it was filled up in less than a day with error messages on sobit.f to root. You should alias root to a real user, since postfix refuses to use procmail when delivering as root, and the default procmail setup will reject mail once 50MB is reached on the mail spool. Could the standard MTA be set up to do something reasonable defaults in 9.2? IMHO, intrusive defaults (like a default header check) should only be done if there is a config tool which can modify them. Regards, Buchan (waiting for drakmailserver) - -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/Sm93rJK6UGDSBKcRAhgqAJ9mPfag1PcywwihcPvlyiALht65MACeMtv1 cWMz/ebRu9/l1vMBhxlVac4= =zxHX -END PGP SIGNATURE- * Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. *
Re: [Cooker] How can we stop the virus flooding
Ainsi parlait Keld Jørn Simonsen : How can you stop the virus flooding in cooker? I would like to just stop all mail with some selected set of attachments like .pif and .exe - how is this doable, and is it standard in the MTA? for postfix, use body_check directive in /etc/postfix/main.cf body_checks = regexp:/etc/postfix/body_check in /etc/postfix/body_checks /^TVqQAAME\/\/8AALgAQAAA$/ REJECT sobig.f Would be nice to announce 9.2 with the ability to just ignore virus like this. We are talking of a mail server there, aka stuff supposed to be used by competent people only. I don't see the point of providing them default configuration that won't match their needs. And the MTA should not snd any messages back when this is done, as the sender most likely is not the real sender. the REJECT directive here just send the mail back to the real sender during the STMP transaction, which is the virus here. -- Guillaume Rousse The complexity of a weapon is inversely proportional to the IQ of the weapon's operator -- Murphy's Military Laws n°78
Re: [Cooker] How can we stop the virus flooding
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Guillaume Rousse wrote: And the MTA should not snd any messages back when this is done, as the sender most likely is not the real sender. the REJECT directive here just send the mail back to the real sender during the STMP transaction, which is the virus here. Only when the client is sobig.f itself, if the client is another SMTP server's client daemon, the user listed in From will get a message from the client daemon :-(. Regards, Buchan - -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/Sn+lrJK6UGDSBKcRAsSFAJ0Zb9coPi5JWPuDL8bXG/bXsltpLQCgi3e+ ET+98EZwqcS484bxx7jbYEI= =SVdJ -END PGP SIGNATURE- * Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. *
Re: [Cooker] How can we stop the virus flooding
On Mon, Aug 25, 2003 at 09:40:28PM +0200, Keld Jørn Simonsen wrote: How can you stop the virus flooding in cooker? I would like to just stop all mail with some selected set of attachments like .pif and .exe - how is this doable, and is it standard in the MTA? Would be nice to announce 9.2 with the ability to just ignore virus like this. this is easy to do: (i assume you have postfix 2.0 or greater) create the file /etc/postfix/header_checks containing one of these lines /^Content-(Type|Disposition):.* (file)?name=?.*\.[A-Za-z0-9]+\.(asd|exe|bat|chm|com|cil|dll|hlp|hta|js|lnk|nws|ocx|pif|reg|scr|sh[bs]|vb|vb[se]|ws[cfh]|msi)?/REJECT /^Content-(Type|Disposition):.* (file)?name=?.*\.(asd|exe|bat|chm|com|cil|dll|hlp|hta|js|lnk|nws|ocx|pif|reg|scr|sh[bs]|vb|vb[se]|ws[cfh]|msi)?/REJECT the first blocks attachs with double extension ala readme.doc.pif the second blocks exexutable attachments then at the root prompt issue the command postconf -e header_checks = regexp:/etc/postfix/header_checks And the MTA should not snd any messages back when this is done, as the sender most likely is not the real sender. change the last word to read DISCARD, but in this case noone will know unless you read your logs and advise those poor souls that actually sent you a non-virus banned attachment. If you leave REJECT it might or might not warn the sender depending on the mta that was used for sending the mail. Could the standard MTA be set up to do something reasonable defaults in 9.2? i believe the first is reasonable (double attach with discard), the second is not that much reasonable. putting DISCARD is EVIL, and should not be done. if you really want to do virus filtering install amavisd-new and clamav from contrib. amavisd will actually check for a virus and does not reply to worms. what should be done for the distro (a bit late for 9.2, but mandrakesoft should think about next release) is adding a decent program (i'd call it mailerdrake) to mcc that is used to configure postfix, amavisd, spamassassin, cyrus (or courier, or dovecot). regards, L. -- Luca Berra -- [EMAIL PROTECTED] Communication Media Services S.r.l. /\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \
Re: [Cooker] How can we stop the virus flooding
On Mon, Aug 25, 2003 at 10:13:18PM +0200, Guillaume Rousse wrote: Ainsi parlait Keld Jørn Simonsen : How can you stop the virus flooding in cooker? I would like to just stop all mail with some selected set of attachments like .pif and .exe - how is this doable, and is it standard in the MTA? for postfix, use body_check directive in /etc/postfix/main.cf body_checks = regexp:/etc/postfix/body_check in /etc/postfix/body_checks /^TVqQAAME\/\/8AALgAQAAA$/ REJECT sobig.f Would be nice to announce 9.2 with the ability to just ignore virus like this. We are talking of a mail server there, aka stuff supposed to be used by competent people only. I don't see the point of providing them default configuration that won't match their needs. Well, people are more or less competent. I have been running MTAs under Unix/linux for more than 20 years, and I have tweeked sendmail rules and hacked sendmail a number of times, but I did not know how to tweek postfix to handle sobit.f in a proper way. Better put our collective wisdom down into our defaults. Anyway, I would like also to know how to handle things like sobit.f and all of the associated error mail in a reasonable way for POP/IMAP clients. And the MTA should not snd any messages back when this is done, as the sender most likely is not the real sender. the REJECT directive here just send the mail back to the real sender during the STMP transaction, which is the virus here. Sounds sensible enough. Best regards Keld
Re: [Cooker] How can we stop the virus flooding
Ainsi parlait Buchan Milne : Guillaume Rousse wrote: And the MTA should not snd any messages back when this is done, as the sender most likely is not the real sender. the REJECT directive here just send the mail back to the real sender during the STMP transaction, which is the virus here. Only when the client is sobig.f itself, if the client is another SMTP server's client daemon, the user listed in From will get a message from the client daemon :-(. the virus usually directly send the mail to its target mailserver. The only relaying would between primary mail server to secondary mail server in victim domain, right ? Anyway, it is safer to use DISCARD then. -- Guillaume Rousse Fools rush in where fools have been before -- Sad Truths of Life n°22
Re: [Cooker] How can we stop the virus flooding
On Mon, Aug 25, 2003 at 11:29:10PM +0200, Buchan Milne wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Guillaume Rousse wrote: And the MTA should not snd any messages back when this is done, as the sender most likely is not the real sender. the REJECT directive here just send the mail back to the real sender during the STMP transaction, which is the virus here. Only when the client is sobig.f itself, if the client is another SMTP server's client daemon, the user listed in From will get a message from the client daemon :-(. Yes, I just got 500 emails today with the sobits.f virus, on a normal client system, just for me, and then another 500 messages for me telling me that I have sent viruses to them, or email lists that I administer have sent email viruses to them. And I have to investigate much of this because I am moderating a number of lists and furthermore I pretend to be on holidays... :-( I would like if I could at least prevent the stupid messages that I have sent viruses, when this is forged. And I am not the only one in this mess. It is frontpage news on every newspaper here in Denmark. They say that about 1 out of 3 emails are sobit.f on a number of big installations here. Wuld be nice if my POP3 connection could filter it away. Would also improve my bandwidth. So I am mostly looking for a solution for POP3 kind of users - then novice users that Mandrake usually make their defaults for. How can I filter it for POP3 (I use it via fetchmail)? keld
Re: [Cooker] How can we stop the virus flooding
On Mon, Aug 25, 2003 at 10:13:18PM +0200, Guillaume Rousse wrote: Ainsi parlait Keld Jørn Simonsen : How can you stop the virus flooding in cooker? And the MTA should not send any messages back when this is done, as the sender most likely is not the real sender. the REJECT directive here just send the mail back to the real sender during the STMP transaction, which is the virus here. Hmm, has the virus implemented its own MTA? I know too little on the implementation on current sobit.f . But it is conceivable that it just uses the mta of the client system. If so, it is the normal error handling of the client system's MTA that then prevails and it will then send an error message back to the forget sender address. Or that the virus has an error handling that just sends the error message to the originator which it has forged too. The latter could generate some error mail loops... Well, I am not sure what to do. Let some people cleverer than me figure it out. Anyway the current sityation with sobit.f is unbearable. Any ideas on a good way to handle sobit.f? Best regards keld
Re: [Cooker] How can we stop the virus flooding
Ainsi parlait Luca Berra : what should be done for the distro (a bit late for 9.2, but mandrakesoft should think about next release) is adding a decent program (i'd call it mailerdrake) to mcc that is used to configure postfix, amavisd, spamassassin, cyrus (or courier, or dovecot). Is this really a good idea to add wizards, gui and other newbies-oriented assistant for software as mail servers, DNS, and other real stuff that have an impact on other computer users ? I don't mind if Joe User setup a web server through such a click-o-magic without ever reading a manual, howto or anything related to network computing, cause if he's wrong he will only trash his computer. But i don't want to get spammed just because the same Joe User decided he could play with a new toy he found in mcc and setup an open-relay SMTP... -- Guillaume Rousse Clipper blades will become dull only when the horse is half finished -- Murphy's Horse Laws n°7