Re: [vox-tech] Virus deluge

To: vox-tech@liMAPSsts.lugod.org
Subject: Re: [vox-tech] Virus deluge
From: "Karsten M. Self" <kmsMAPSelf@ix.netcom.com>
Date: Tue, 27 Jan 2004 21:40:21 -0800
Delivered-to: lugod@livepenguin.com
Delivered-to: vox-tech@livepenguin.com
In-reply-to: <20040128032542.GA11028@ix.netcom.com>
List-archive: <http://lists.lugod.org/pipermail/vox-tech/>
List-help: <mailto:vox-tech-request@lists.lugod.org?subject=help>
List-id: lugod's technical discussion forum <vox-tech.lists.lugod.org>
List-post: <mailto:vox-tech@lists.lugod.org>
List-subscribe: <http://lists.lugod.org/mailman/listinfo/vox-tech>,<mailto:vox-tech-request@lists.lugod.org?subject=subscribe>
List-unsubscribe: <http://lists.lugod.org/mailman/listinfo/vox-tech>,<mailto:vox-tech-request@lists.lugod.org?subject=unsubscribe>
Mail-followup-to: vox-tech@lists.lugod.org
References: <200401270535.12014.rod@sunsetsystems.com> <20040128032542.GA11028@ix.netcom.com>
Reply-to: vox-tech@lists.lugoMAPSd.org
Sender: MAPSvox-tech-admin@lists.lugod.org
User-agent: Mutt/1.5.4i

on Tue, Jan 27, 2004 at 07:25:42PM -0800, Karsten M. Self (kmself@ix.netcom.com) wrote:
> on Tue, Jan 27, 2004 at 05:35:12AM -0800, Rod Roark (rod@sunsetsystems.com) wrote:
> > I just created and installed a Postfix remedy for the latest
> > MS malware outbreak, and thought I'd pass it on.  I'm seeing
> > a VERY high rate of connections from machines infected with
> > this stuff.
> > 
> > In main.cf, insert this:
> > 
> > body_checks=pcre:/etc/postfix/virus_body_checks
> > 
> > Create a file virus_body_checks containing this:
> > 
> > /^TVqQAAMAAAAEAAAA\/\/8AALg/ REJECT Emails with Microsoft executable attachments are not allowed here.
> > /^UEsDBAoAAAAAA...OzDKJx\+eAFgAAABYAA/ REJECT Attached zip file appears to contain a virus.
> > 
> > If anyone has an improved solution, let me know, but this
> > seems to work.
> 
> Try:
> 
> ================================================================================
> :0 B
> * -1
> * 1^0 ^Content-Transfer-Encoding: base64
> * 1^0 1rrAeM0gDQdlmmtNtWVfG3QRFA672grQLlgIdDhobVVL2XMWVlc87bWFzho6IHtwAj2d9r
> * 1^0 Ga9SG/3//7dSpCoQS7DvKZAv72JQKWmvdKWWbadVD/D//9vSfeg2mRbgbKcMvEZXguXrNq
> * 1^0 TBuvVXOm//9/idxR1/7/Y6uPvh3LTd755dO39hzsPp/6sfv///8xZXpCOlu2J40AUMvgDP
> * 1^0 Q2VDAuk6pQf8sthCvHkbFDMACWK8hd0C2mSZPSKSIjutcMMWTmfwLUdsuyF4o1Tjemh5hk
> * 1^0 Z3h2Z0tDwwdp3y78fy10dmV5LTIuMG9xcIxfY05wdXJmmaHdCjNcdmkLRDvZ1r5tSGRWLV
> * 1^0 V0jTDPIH0MgIsEjTDDKYiAqARYEDNnhPUmWtFnAb4JuraGYHK2nGAwbeAiBFcj2UWskGOE
> {
>     LOG="LOG: Virus: (Mydoom / Novar)"
> 
>     :0:
>     Virus/
> }
> ================================================================================


...er...

You'll want to anchor those with '^' so you don't get false positives...
...like I did...
...on my own mail...

;-)


Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   Geek for hire:  http://kmself.home.netcom.com/resume.html

Attachment: signature.asc
Description: Digital signature

Follow-Ups:
- Re: [vox-tech] Virus deluge
  - From: Mark K. Kim

References:
- [vox-tech] Virus deluge
  - From: Rod Roark
- Re: [vox-tech] Virus deluge
  - From: Karsten M. Self

Prev by Date: Re: [vox-tech] More Samba Goodness
Next by Date: Re: [vox-tech] Virus deluge
Previous by thread: Re: [vox-tech] Virus deluge
Next by thread: Re: [vox-tech] Virus deluge
Index(es):
- Date
- Thread

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.