Re: MS mail bombs

To: debian-user@lists.debian.org
Subject: Re: MS mail bombs
From: "Jacob Anawalt" <jacob@cachevalley.com>
Date: Thu, 25 Sep 2003 13:22:12 -0600 (MDT)
Message-id: <[🔎] 1721.192.168.1.4.1064517732.squirrel@scsi-burn.office>
In-reply-to: <[🔎] 20030925185017.GE2317@mcelrath.org>
References: <xIk5.4c8.1@gated-at.bofh.it> <[🔎] E1A0en2-0000Jz-00@jaguar> <[🔎] 3F6E728F.8040204@cachevalley.com> <[🔎] 200309222307.50195.wayneg@ananzi.co.za> <[🔎] 20030922222436.GK15735@mcelrath.org> <[🔎] 3161.192.168.1.4.1064507908.squirrel@scsi-burn.office> <[🔎] 20030925185017.GE2317@mcelrath.org>

Bob McElrath said:
> Jacob Anawalt [jacob@cachevalley.com] wrote:
>> I guess that's as effective for reducing the bulk of your inbox as
>> sending
>> "550 executables not accepted", especially if you don't have control
>> over
>> the mail server and you match this virus with 100% accuracy.
>>
>> Either way, /dev/null or 550 after DATA crlf.crlf you've recieved the
>> whole message.
>
> "550 executables not accepted" would obviously be a superior solution.
> How do you do it?  My google searches and list archive searches turned
> up nothing...
>

I use postfix v1.x, so I implement the body_checks regexp method, matching
the MS executable MIME 'fingerprint' mentioned here:

http://sbserv.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_sobigf.shtml

It's been a while since I used Sendmail and even when I used I didn't
understand most of the settings, but there's got to be something similar.

Someday viruses will zip themselves and this check will fail. Then I'll
need to unzip and scan before giving the 250 OK after DATA or reject all
zip attachments as well :( .

Too bad there isn't some big public server to upload stuff to and the only
thing you send in an email is a url that expires. One copy sits on one
server, only a url sits in the server's mailbox. OpenPGP sign or encrypt
your data and it's safe. I could do this myself and I don't always do it
because emailing an attachment is so easy on both ends. I've had a hard
time getting the person on the other end to go to a web page (AOL user...)
If all email clients used this for <attach>... :)

P.S. I notice you use user+debian@. Is this email address only for list
traffic? I'm toying w/ the idea of doing that and only accepting email to
that address that comes from the list. Topic: Anti-Spam ideas for
usenet/list harvested email addresses.

-- 
Jacob
Trying out SquirrelMail

Reply to:

Follow-Ups:
- Re: MS mail bombs
  - From: Bob McElrath <bob+debian@mcelrath.org>

References:
- Re: MS mail bombs
  - From: "Michael C." <mcsuper5@usol.com>
- Re: MS mail bombs
  - From: Jacob Anawalt <jacob@cachevalley.com>
- Re: MS mail bombs
  - From: Wayne Gemmell <wayneg@ananzi.co.za>
- Re: MS mail bombs
  - From: Bob McElrath <bob+debian-user@mcelrath.org>
- Re: MS mail bombs
  - From: "Jacob Anawalt" <jacob@cachevalley.com>
- Re: MS mail bombs
  - From: Bob McElrath <bob+debian@mcelrath.org>

Prev by Date: Re: apt-get problem
Next by Date: Re: en_US.UTF-8 compose bug fixed, but whom should i send it to ?
Previous by thread: Re: MS mail bombs
Next by thread: Re: MS mail bombs
Index(es):
- Date
- Thread