Blocking the Netsky worm

The Netsky worm seems to be running around now, and it has behavior that is very easy for Postfix to stop at the front door.

Apparently, this worm has a built-in SMTP engine, and it uses the target domain name in the HELO identification at the start of the transaction. There is no circumstance where an outsider should identify itself to my mailserver as "unixwiz.net", so these attempts are dropped immediately.

I wrote about this before when I found that spammers were identifying themselves with my IP address, so this is just a logical extension to that technique.

Of course, this doesn't work if you actually have a computer with that hostname that tries to route through your mailserver: this seems like a bad idea anyway.

UPDATE - Looks like I wrote too quickly: Postfix does a multiple-level check on this, so if you block "foo.com" in the HELO string, it blocks "anything.foo.com". This means that it only works in much more limited situations where your mailserver never accepts mail from others in the same domain.

UPDATE #2 - Ah, now I think I got it: by adding a "permit_mynetworks" before the access lookup, it allows all the machines inside your network to send mail with any kind of HELO string, but anybody on the outside gets bounces. I've updated the original weblog entry to reference this.

It's blocking quite a few of the viruses now. Gotta watch a while for false positives...

Posted by Steve at February 25, 2004 10:58 AM | TrackBack