[61014] in North American Network Operators' Group
Re: Hijacked email
daemon@ATHENA.MIT.EDU (Will Yardley)
Wed Aug 20 21:14:34 2003
Date: Wed, 20 Aug 2003 18:13:58 -0700
From: william+nanog@hq.dreamhost.com (Will Yardley)
To: nanog@merit.edu
Mail-Followup-To: nanog@merit.edu
In-Reply-To: <20030820152827.GB49188@dipole.informationwave.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, Aug 20, 2003 at 11:28:27AM -0400, Omachonu Ogali wrote:
>
> For our Postfix viewers out there...
>
> header_checks:
> /^X-MailScanner: Found to be clean$/ REJECT You're infected, but you probably won't see this message anyway.
Of course, this will also block legitimate messages that have been
scanned by whatever type of virus scanner adds that header.
Wietse suggests the following body check; it will work better with
Postfix 2.0:
http://sbserv.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_sobigf.shtml
This is working well for us.
You could also probably look for the following three lines in a row:
(I'll indent a space so they don't set off people who are blocking based
on the above rules):
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
We're seeing a LOT of these today.... probably in the thousands per
second.
--
"Since when is skepticism un-American?
Dissent's not treason but they talk like it's the same..."
(Sleater-Kinney - "Combat Rock")
