On Tue, Jan 27, 2004 at 08:58:25AM -0600, MLH wrote:
> Herb Peyerl wrote:
> 
> > Richard Rauch  wrote:
 [...]
> I'm starting to get bounced messages that are supposedly coming
> from my domain (in addition to the rejected .zip file messages)
> but there is no record of contacting the server which is complaining
> so I don't think my Postfix is relaying.

You're on the tail-end of "bank-shot" forwarded email, I think.

The virus sent it first to another system (one that was configured as
mine was until this morning), but claimed to be sending it from your
system.  The initial target accepted it into its queue, then bounced it
"back" to you because that was all that it could figure out by that point.


> > Personally, I just added the first few mime64 bytes of the .zip
> > file into my /etc/postfix/body_checks :
> > 
> > ^TVqQAAMA?????REJECT?Sorry.??No?executables?please.
> > ^UEsDBAoAAA??REJECT?Sorry.?No?viruses?please.
> 
> Or add it to the Swen worm header_checks:
> 
> /^Content-(Type|Disposition):.*(file)?name=.*\.(asd|bat|chm|cmd|com|dll|exe|hlp|hta|js|jse|lnk|ocx|pif|scr|shb|shm|shs|vb|vbe|vbs|vbx|vxd|wsf|wsh|zip)/ REJECT Sorry, we do not accept .${3} file types.

I'd rather pull enough of a fingerprint to allow "most" .zip archives in.

Unlike raw MS executables, .zip archives have some limited use...


-- 
  "I probably don't know what I'm talking about."  http://www.olib.org/~rkr/