[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: bypassing Sirc32

On Fri, Aug 17, 2001 at 09:53:29AM -0300, Jordi S . Bunster wrote:
> I don't know about you guys, but here in third world countries Sircam
> is still making a lot of trouble. We have amavis running here on this
> soon to become postfix sendmail server, so we block those messages
> from/to our customers.
> But, still, that makes a lot of load here. Can I, trough a sendmail
> and/or procmail rule, simple send those messages to /dev/null as soon
> as they arrive? Have anyone done something similar? Would that reduce
> the load?

all of the ones i've seen have an invalid Content-Disposition header.

try this is your postfix header_checks:

/^Content-Disposition: Multipart message/i	REJECT

"Multipart message" is an invalid Content-Disposition.  it will never appear
in a legitimate email.

another (better, imo) option is to block all windows executable
attachments with a body_checks rule:

/^(Content-Disposition: attachment;.*| Content-Type:.*|(\t| )+)(file)?name="?.*\.(lnk|hta|com|pif|vbs|vbe|js|jse|exe|bat|cmd|vxd|scr|shm)"?$/	REJECT

this will block all outlook/windows viruses, not just sircam. at least,
until microsoft invent a new security hole feature for their customers'

i haven't done any benchmarking or timing on it but it is probably
better to have both rules. the earlier you reject a message, the better.
because there are fewer headers than body lines, a header_check is less
load on the system than a body_check (remember, each header_check rule
has to be matched against every line of the headers, and each body_check
rule has to be matched against every line of the body)


craig sanders <cas@taz.net.au>

Fabricati Diem, PVNC.
 -- motto of the Ankh-Morpork City Watch

Reply to: