Re: bypassing Sirc32
On Fri, Aug 17, 2001 at 09:53:29AM -0300, Jordi S . Bunster wrote:
> I don't know about you guys, but here in third world countries Sircam
> is still making a lot of trouble. We have amavis running here on this
> soon to become postfix sendmail server, so we block those messages
> from/to our customers.
> But, still, that makes a lot of load here. Can I, trough a sendmail
> and/or procmail rule, simple send those messages to /dev/null as soon
> as they arrive? Have anyone done something similar? Would that reduce
> the load?
all of the ones i've seen have an invalid Content-Disposition header.
try this is your postfix header_checks:
/^Content-Disposition: Multipart message/i REJECT
"Multipart message" is an invalid Content-Disposition. it will never appear
in a legitimate email.
another (better, imo) option is to block all windows executable
attachments with a body_checks rule:
/^(Content-Disposition: attachment;.*| Content-Type:.*|(\t| )+)(file)?name="?.*\.(lnk|hta|com|pif|vbs|vbe|js|jse|exe|bat|cmd|vxd|scr|shm)"?$/ REJECT
this will block all outlook/windows viruses, not just sircam. at least,
until microsoft invent a new security hole feature for their customers'
i haven't done any benchmarking or timing on it but it is probably
better to have both rules. the earlier you reject a message, the better.
because there are fewer headers than body lines, a header_check is less
load on the system than a body_check (remember, each header_check rule
has to be matched against every line of the headers, and each body_check
rule has to be matched against every line of the body)
craig sanders <email@example.com>
Fabricati Diem, PVNC.
-- motto of the Ankh-Morpork City Watch