So I’ve had the lovely task of dealing with the recent sobig.f outbreak on the Internet where I work. The same dunderheads that let themselves get infected by the last big virus failed to run Windows Update so that they could be prevented from getting this one.
It just goes to show that border security, basically, isn’t. People set up ways of blocking the bad stuff from getting to them, but they don’t bother to fix the underlying reason the “bad stuff” can cause problems in the first place. The moment anything makes it through the border, it can cause all the havoc it wants to. People aren’t taking responsibility for keeping their nodes secure on this big, wide Internet world, and the lack of their adequate policing is causing problems for the rest of us.
I ran into a related experience with my daughter this morning. I’m working from home today, since I have been keeping an eye on the pain to our mail server from virus transmissions. Anyway, she was getting some laundry out of the washer and the washer lid fell on her head. The obvious, rational conclusion is that she bumped the washer, causing the lid to dislodge from its open position and land on her head. I responded to the screaming wail of pain, brought over an ice pack, and asked for the explanation of what happened.
Now, we could propose alternative explanations, I suppose. But Sara insisted, “I didn’t bump the washer. It wasn’t my fault. The washer lid hit me in the head, and I don’t know how it happened!” I carefully explained cause and effect to her, that our goal is not to place blame but to figure out what happened, and how it happened, so that, in this case, we can prevent it from happening in the future.
She sullenly accepted my explanation and stalked off back to the washroom to move her laundry, this time without the accompanying crashing noises and loud crying.
But it made me think of the whole virus, and the tendency we human beings have to avoid responsibility for bad things. In one way, the recent outbreak of the RPC worms attacking Windows workstations was a good thing: the annoyance factor of rebooting your machine every 3 minutes or less forced people to update their PCs and take responsibility for helping police the Internet. I know it will be short-lived, but it’s progress. I’m just glad it wasn’t a very destructive worm, or recovery would have been far more painful than it was.
So, anyway, sobig.f is floating around today and I’m updating postfix rules. Here’s the meat of it.
Add these two entries to /etc/postfix/main.cf (or, if you’re using FreeBSD, /usr/local/etc/):
body_checks = regexp:/etc/postfix/body_checks header_checks = pcre:/etc/postfix/header_checks.pcre
Then you need to create the files “/etc/postfix/body_checks” and “/etc/postfix/header_checks.pcre”. I distinguish “.pcre” files this way, because that stands for “Perl Compatible Regular Expressions”, which are slightly different than normal “regex” regular expressions. If you don’t have PCRE support compiled into Postfix, the header_checks.pcre file won’t help you at all, and will actually cause Postfix to not start up at all, or in some cases just spit an error message out to your syslog.
Anyway, this is body_checks:
# sobig rejection # The following statement should all be on one line, # with a space before "reject" # It's two lines due to formatting constraints. /^TVqQAAMAAAAEAAAA\/\/8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA$/ REJECT keep your viruses # Klez rejection # The following statement should all be on one line, # with a space before "reject" # It's two lines due to formatting constraints. /^<iframe src=3Dcid:\S+ height=3D0 width=3D0>/ REJECT No IFRAMEs please /^<FONT>/ REJECT No viruses wanted here
##############################
This is header_checks.pcre (this can be multi-line as formatted):
/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.*\.( ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta| inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws| ops|pcd|pif|prf|reg|scf|scr\??|sct|shb|shs|shm|swf| vb[esx]?|vxd|wsc|wsf|wsh))(\?=)?"?\s*(;|$)/x REJECT Attachment name "$2" may not end with ".$3"
#################################
So, the nice thing here, is that these two rules will check for any attachments of known nasty types, and simply refuse to allow them to be delivered, period. The unfortunate weakness here is that if someone uses base64 encoding on the mail, we aren’t really checking it. You really need a virus-scanning package on the back-end for that. On the plus side, few virusses use base64 — it’s mostly reserved for spammers and people who aren’t using a native English mailers.
Hope that helps! It took a little bit of digging on mailing lists to get this far, but so far it seems to be helping us a lot. On the back-end, I have a script that just uses iptables (on Linux) to stop abusive mailers. Once I’ve sanitized out the stuff that definitely won’t apply to someone else’s environment, I’ll post that here, too.
P.S. Yeah, I know “view as PDF” is broken for this doc right now. I’m not certain how to properly handle <pre> tags when formatting for PDF, so you’ll have to be content with what’s here for now 🙂 Besides, I expect you would rather just cut & paste what’s above, rather than print it out and type it, wouldn’t you? Thought you would.