On Fri, Oct 24, 2003 at 01:56:03AM +1000, Rob Weir wrote:
| On Thu, Oct 23, 2003 at 12:53:49AM -0700, Steve C. Lamb said
| > On Thu, Oct 23, 2003 at 05:32:59PM +1000, Rob Weir wrote:
| > > Hm, now I check, 27253 of those did *not* come from my secondary MXs.
| > > That is a stupid amount of crap. In fact, it is 3.8985GB of crap.
| > > Imagine that instead of dropping that shit on the floor, you sent a CR
| > > query. You've just doubled the number of mails flying around (thought
| > > not the volume, of course).
Yes. Very bad. Sending people, like me, "you sent a virus" message
just makes you look less educated. Like Karsten, I typically just
ignore challenges. Your bloody loss, mate. I do, however, encourage
automatic handling of mail including tagging, sorting, and trashing.
| > Ya forgot to mention that of those 27253 messages (just using your
| > count as an example) damn nead close to 0 are likely to reach an
| > infected host since SWEN spoofs and lots of C-R systems fall for
| > it.
|
| Ah, yes, that's even worse. I'm also bloody sick of getting "a virus was
| detected in your mail" messages from people I have never written to.
Uh-huh. See below for automated techniques to avoid that crap and to
stuff it back at the sender.
| > BTW, just curious how you detect SWEN before the MTA gets it?
| > Usually mine is post-contact on at least one occasion. After that
| > it was firewall but now it is just drop on a RCPT test. Hrm,
| > should make it a HELO test. :/
|
| I'm dropping mail based on a DATA regexp.
Same here.
| I have the following line in /etc/postfix/ms-crap
| /^TVqQAAMAAAAEAAAA\/\/8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA$/ REJECT Message rejected, contains the Swen worm virus!
FYI this matches any executable generated by the MS Visual C++
compiler, not just swen. (it works for me, but some sites need a more
targeted pattern because they must deliver some executables)
Better yet use DISCARD instead of REJECT so the crap goes away rather
than (possibly) being bounced to some innocent bystander.
| and this line in /etc/postfix/main.cf to make use of it
|
| body_checks = regexp:/etc/postfix/ms-crap
I recommend installing postfix-pcre and using "prec:" instead of
"regexp:". I don't know if it matters for this pattern, but I've
heard that pcre is faster than regexp. I know that pcre has a more
expressive language, which becomes important if you start working on
fancier patterns. Also you're more likely to find pcre patterns (that
may or may not happen to work with regexp without changes) from other
people on the 'net. Not a big deal, but now you know the tradeoffs
:-).
| No doubt any other servicable MTA can handle it.
Yes.
| Oh, and to get my counts, I use
|
| grep Swen /var/log/mail.log|awk '{print $6}'|sort|uniq|wc -l
Better yet, install 'pflogsumm' and have cron run it daily and/or
weekly to give you a good summary of the load postfix is handling.
(it includes the total of messages
Here are some header and body patterns for the "you sent me a virus"
junk :
--- header_checks
/^Subject:[ ]*Infected E-Mail$/ REJECT Bogus virus warning detected [110].
Contact <postmaster> for details.
# Dumb. Dumber. and Dumberer.
/^From: NAV for Microsoft Exchange/ REJECT Bogus virus warning detected [102].
Contact <postmaster> for details.
/^From: F-Secure Anti-Virus for Internet Mail/
REJECT Bogus virus warning detected [111].
Contact <postmaster> for details.
/^Subject: .*(?:NAV|Norton AntiVirus) detected (?:and quarantined )?a virus/
REJECT Bogus virus warning detected [103].
Contact <postmaster> for details.
/^Subject: .*ScanMail for Lotus Notes/ REJECT Bogus virus warning detected [104]
Contact <postmaster> for details.
/^Subject: .*Symantec AVF detected a.*virus/
REJECT Bogus virus warning detected [105].
Contact <postmaster> for details.
/^Subject: .*Virus Alert/ REJECT Bogus virus warning detected [106].
Contact <postmaster> for details.
/^Subject: .*A Virus was detected/ REJECT Bogus virus warning detected [107].
Contact <postmaster> for details.
/^Subject: .*VIRUS IN YOUR MAIL/ REJECT Bogus virus warning detected [108].
Contact <postmaster> for details.
/^Subject: .*Virus Detected by Network Associates/
REJECT Bogus virus warning detected [109].
Contact <postmaster> for details.
|^X-Mailer: ravmd/8.3.2| REJECT Mail from virus scanners is not accepted [100]
/^X-Mailer: MailScanner/ REJECT Mail from virus scanners is not accepted [112]
/^X-[^:]*MailScanner: Found to be infected/
REJECT Joe-Jobbing is an unacceptable abuse of this system. [101]
/^X-Auto-Generated: McAfee antivirus plugin/
REJECT Mail from virus scanners is not accepted [113]
# Pointless.
/^X-Virus-Scanned:/ IGNORE
/^X-AntiVirus:/ IGNORE
/^X-RAVMilter-Version:/ IGNORE
/^X-MIMEOLE:/ IGNORE
/^X-Mailscanner[^:]*:/ IGNORE
/^X-[^:]*MailScanner:/ IGNORE
/^Thread-Topic:/ IGNORE
/^X-Sun-Charset:/ IGNORE
/^X-MSMail-Priority:/ IGNORE
--- body_checks
# Hmm, the pflogsumm report will end up including text like these.
/^ {6,11}\d{1,6}[ km] / OK
# All .exe files from MSVC have the same starting bytes
/^TVqQAAMAAAAEAAAA\/\/8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAA[A:]A*$/
DISCARD MSVC executable
# (anchor sufficiently to avoid rejects passing on the patterns)
/^-----------+ +(?:Sify )?Virus Warning Message /
REJECT Bogus virus warning detected [300].
Contact <postmaster> for details.
# Joy. Multiple languages.
/^------ Message du Moteur Antivirus /
REJECT Bogus virus warning detected [305].
Contact <postmaster> for details.
/Antigen for Exchange found[^\/[]/ REJECT Bogus virus warning detected [301].
Contact <postmaster> for details.
/^Sophos Plc MailMonitor for Domino/ REJECT Bogus virus warning detected [302].
Contact <postmaster> for details.
/^--- Dr\.Web report ---/ REJECT Bogus virus warning detected [303].
Contact <postmaster> for details.
/^The scanned e-mail has your address in the <From> header field./
REJECT Bogus virus warning detected [304].
Contact <postmaster> for details.
/^----------- Trend GateLock/ REJECT Bogus virus warning detected [306].
Contact <postmaster> for details.
# Dumb. Just plain dumb.
/^Outgoing mail is certified Virus Free\.$/ IGNORE
|^Checked by AVG anti-virus system \(http://www\.grisoft\.com\)\.| IGNORE
|^Version: .\..\.... / Virus Database: ... - Release Date: .?./../..(?:..)?$|
IGNORE
If you're not using postfix then you'll need to translate these for
your mail system. (FYI, when postfix sees "IGNORE" it simply removes
that line from the message and continues normal processing.)
-D
--
"...Deep Hack Mode--that mysterious and frightening state of
consciousness where Mortal Users fear to tread."
(By Matt Welsh)
http://dman13.dyndns.org/~dman/
Attachment:
pgpyUuSkXntp9.pgp
Description: PGP signature