[SJF Logo]
Steve Friedl's Weblog
August 19, 2003
Postfix rules to reject SOBIG.F mail

Ugh: the SOBIG.F virus is running around *everywhere*, so I've created some header_check rules to get Postfix to reject this mail before it even enters the network. I certainly have enough sense not to open a PIF file, but not everybody I perform relay for do. Sigh.

Tech Tip: Rejecting SOBIG.F Virus Mails from Postfix

Posted by Steve at August 19, 2003 10:21 AM | TrackBack
Comments

In the last 24 hours, my little mail server has turned away more than 1100 of these things - what an amazing outbreak.

Posted by: Steve Friedl on August 20, 2003 11:12 AM

By rejecting the Sobig.F worm, you are contributing to the problem. Since Sobig.F forges the sender address, your rejection message is being sent to an innocent third party. In light of this, the best course of action is to accept the message and silently delete it (using the DISCARD action, rather than REJECT).

I would prefer not to have to wade through 50 rejection messages each morning, looking for real messages.

Posted by: James on August 21, 2003 03:58 AM

James is right, of course, so I've updated my Tech Tip to reflect this better approach.

Posted by: Steve Friedl on August 21, 2003 07:19 AM

This is how I solved the same problem

main.cf:
smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo

helo: (postmap)
ROCKET RESTRICT You're not SoBig now, are you...

The virus introduce itself on EHLO.
Postfix will reject it if the EHLO restriction is met on RCPT TO: (unless reject delay has been changed)

Kills CPU time..

Posted by: Fredrik on August 28, 2003 03:40 PM

Huh? There are all kinds of HELO strings other than "ROCKET", and it's not really possible to identify them all. I don't see this as a solution that scales very well...

Posted by: Steve Friedl on August 28, 2003 06:40 PM
Post a comment
Name:


Email Address:


URL:


Comments:


Remember info?