Re: Virus emails

To: debian-devel@lists.debian.org
Subject: Re: Virus emails
From: Matthias Urlichs <smurf@smurf.noris.de>
Date: Tue, 23 Sep 2003 07:10:25 +0200
Message-id: <[🔎] 200309230710.26128@smurf.noris.de>
In-reply-to: <[🔎] 20030923022925.GA14340@quux.opus.geek>
References: <[🔎] 87znh0yesj.fsf@volatile.central.fluidsignal.com> <[🔎] pan.2003.09.22.14.53.14.808010@smurf.noris.de> <[🔎] 20030923022925.GA14340@quux.opus.geek>

Hi,

Graham Wilson wrote:
> On Mon, Sep 22, 2003 at 04:53:16PM +0200, Matthias Urlichs wrote:
> > A pure MTA solution would still need to scan the body and thus would
> > still eat your bandwidth.
>
> i have postfix's body_checks setup to reject lines that match the
> following regular expression (this is the first line of the base64
> encoded virus):
>
> /^TVqQAAMAAAAEAAAA\/\/8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAAA$/
>
> i'm not sure when postfix closes the connection, 

It nees to receive all the data. Otherwise the sender will treat the closed 
connection as a temporary failure and try again a few minutes later.

An aggressive solution would remember the IP address and reject the next email 
from that destination, but I don't think postfix does that.

-- 
Matthias Urlichs    |    {M:U} IT Design @ m-u-it.de     |    smurf@debian.org
Disclaimer: The quote was selected randomly. Really. | http://smurf.debian.net
 - -
Kramer's Law:
	You can never tell which way the train went by looking at the tracks.

Reply to:

References:
- Virus emails
  - From: Andrés Roldán <aroldan@fluidsignal.com>
- Re: Virus emails
  - From: Matthias Urlichs <smurf@smurf.noris.de>
- Re: Virus emails
  - From: Graham Wilson <bob@decoy.wox.org>

Prev by Date: Re: killing virus e-mails with file types
Next by Date: Re: Virus emails
Previous by thread: Re: Virus emails
Next by thread: Re: Virus emails
Index(es):
- Date
- Thread