Re: bypassing Sirc32

[Craig Sanders]

On Fri, Aug 17, 2001 at 09:53:29AM -0300, Jordi S . Bunster wrote:
> I don't know about you guys, but here in third world countries Sircam
> is still making a lot of trouble. We have amavis running here on this
> soon to become postfix sendmail server, so we block those messages
> from/to our customers.
>
> But, still, that makes a lot of load here. Can I, trough a sendmail
> and/or procmail rule, simple send those messages to /dev/null as soon
> as they arrive? Have anyone done something similar? Would that reduce
> the load?

all of the ones i've seen have an invalid Content-Disposition header.

try this is your postfix header_checks:

/^Content-Disposition: Multipart message/i  REJECT

"Multipart message" is an invalid Content-Disposition.  it will never appear
in a legitimate email.


another (better, imo) option is to block all windows executable
attachments with a body_checks rule:

/^(Content-Disposition: attachment;.*| Content-Type:.*|(\t| 
)+)(file)?name="?.*\.(lnk|hta|com|pif|vbs|vbe|js|jse|exe|bat|cmd|vxd|scr|shm)"?$/   
REJECT


this will block all outlook/windows viruses, not just sircam. at least,
until microsoft invent a new security hole feature for their customers'
convenience.



i haven't done any benchmarking or timing on it but it is probably
better to have both rules. the earlier you reject a message, the better.
because there are fewer headers than body lines, a header_check is less
load on the system than a body_check (remember, each header_check rule
has to be matched against every line of the headers, and each body_check
rule has to be matched against every line of the body)

craig

-- 
craig sanders <[EMAIL PROTECTED]>

Fabricati Diem, PVNC.
 -- motto of the Ankh-Morpork City Watch


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: bypassing Sirc32

[Jeremy C. Reed]

On Fri, 17 Aug 2001, Jordi S . Bunster wrote:

> But, still, that makes a lot of load here. Can I, trough a sendmail
> and/or procmail rule, simple send those messages to /dev/null as soon
> as they arrive? Have anyone done something similar? Would that reduce
> the load?

I use exim's filter language to block it:

# The W32/Sircam virus is sending messages with lower case date: headers
# (The upper-case CONTAINS makes the string comparison case sensitive.)
if $message_headers CONTAINS "\ndate: " and
   $message_headers contains "_Outlook_Express_message_boundary"
then
   fail text "Suspect W32/Sircam virus message"
   seen finish
endif

If you don't want to reply (bounce) with a big message set the Exim
directive return_size_limit to the amount of bytes you will reply.

  Jeremy C. Reed
echo 'G014AE824B0-07CC?/JJFFFI?D64CB>D=3C427=>;>6HI2>

bypassing Sirc32

[Jordi S . Bunster]

I don't know about you guys, but here in third world countries Sircam
is still making a lot of trouble. We have amavis running here on this
soon to become postfix sendmail server, so we block those messages
from/to our customers.

But, still, that makes a lot of load here. Can I, trough a sendmail
and/or procmail rule, simple send those messages to /dev/null as soon
as they arrive? Have anyone done something similar? Would that reduce
the load?

Thanks in advance 

 -- Jsb


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]