From owner-freebsd-security Tue Dec 4 17:44:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 64F1037B419; Tue, 4 Dec 2001 17:44:32 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id 086AE81D01; Tue, 4 Dec 2001 19:44:32 -0600 (CST) Date: Tue, 4 Dec 2001 19:44:32 -0600 From: Alfred Perlstein To: Len Conrad Cc: freebsd-security@freebsd.org, jmb@freebsd.org Subject: block double suffix attachments? Re: Mail list is posting gone virus!!!! Message-ID: <20011204194431.E92148@elvis.mu.org> References: <01d701c17d10$a8b334b0$0001300a@lhtech.lhtek.com> <4.3.2.7.2.20011204172959.04d112e0@localhost> <5.1.0.14.2.20011204193019.05f01c18@mail.Go2France.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.2.20011204193019.05f01c18@mail.Go2France.com>; from LConrad@Go2France.com on Tue, Dec 04, 2001 at 07:34:31PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Len Conrad [011204 19:35] wrote: > > >Also no excuse. Our heuristic checker caught the very first copy > >(See http://www.brettglass.com/spam/paper.html) and would run > >just fine on the FreeBSD mail servers. > > the freebsd hubs run postfix, afaik, which can block on single and double > file extensions, like .scr, .doc.scr. Our FreeBSD AV box sees no BadTrans > or Goner because the postfix front-ends reject them as attachments. > > For volumes, here's FreeBSD + Kaspersky for Tue through first 20 hours: yipes! Blocking double extentions is a real pain because people may elect to send .gz or .bz2 or a myriad of other legit formats. I guess in the face of this obnoxious plague it may make sense to drop all attachments that contain double suffix attachments with the exception of .gz and .bz2. I know I've most likely forgotten an important extention, but we can add those as the need arises? Jonathan, would that be possible? (block all messages with attachments that have and double suffix? except .gz/.bz2 ?) > > Grand Totals > ------------ > messages > > 352086 received > 386330 delivered > 5 forwarded > 1 deferred (1 deferrals) > 16844 bounced > 47 rejected > > 6288m bytes received > 7786m bytes delivered > 63730 senders > 10594 sending hosts/domains > 45609 recipients > 6828 recipient hosts/domains > > giving: > > 1 Infected with I-Worm.Magistr.b.poly > 1 Infected with Macro.Word97.Sattelite.b > 1 Infected with from=bounce-members-68677@lists.naela.org > 1 Infected with from=info@kalistaderm.com > 1 Infected with from=bounce-members-67997@lists.naela.org > 1 Infected with Macro.Word97.Ethan > 1 Infected with I-Worm.Hybris.f > 1 Infected with I-Worm.Hybris.c > 3 Infected with I-Worm.Magistr.a.poly > 3 Infected with I-Worm.KakWorm > 3 Infected with from=emailtesting@gfi.com > 6 Infected with I-Worm.Badtrans > 7 Infected with Win32.FunLove.4070 > 8 Infected with I-Worm.MTX > 34 Infected with I-Worm.Hybris.b > 99 Infected with I-Worm.Magistr.a > 101 Infected with I-Worm.Magistr.b > 281 Infected with I-Worm.BadtransII > 522 Infected with I-Worm.Sircam.c > 582 Infected with I-Worm.Goner > > 1657 TOTAL > > Len > > > http://MenAndMice.com/DNS-training > http://BIND8NT.MEIway.com : ISC BIND 8.2.4 for NT4 & W2K > http://IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' http://www.morons.org/rants/gpl-harmful.php3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message