# Jim Seymour's Postfix anti-virus/worm/trojan header_checks recommendations. # # WARNING: Use at your own risk! No warranty of suitability or fitness for # any particular use is expressed or implied. # # NOTE: These are PCRE (map type "pcre:") expressions. Your copy of Postfix # must have been built with PCRE support for these. # # Additional Notes # # These checks are predicated on the fact that you're using a version # of Postfix that's got MIME parsing. I don't recall when that was # added, but it's certainly in Postfix 2.x (which is what I use). If # in doubt: Join the postfix-users mailing list and ask! # # In the postfix-users mailing list, Noel Jones asserts that: # # "postfix mime_header_checks can miss broken mime headers that a # mail client may decide are "close enough" to work. A filename # can be encoded to not match the regexp. # # So just because you use mime_header_checks to reject these # file types doesn't mean they won't be accepted anyway. Be # aware of the limitations." # # These might more effectively be placed in a separate # mime_header_checks file, so that they're not run against all the # headers, but just the MIME headers. # # These (mime) header checks *will* work on the "triple-extension" # exploit (Ref: http://www.theregister.co.uk/content/56/29137.html), # to the best of my knowledge. # # Information on header checks, and other Postfix anti-UCE measures, can # be found at http://jimsun.LinxNet.com/misc/postfix-anti-UCE.txt. Also, # at the bottom of that URL, are references to additional Postfix anti-UCE # resources. # # Generic M$ email-borne worm/trojan/virus protection # # M$-Windoze vulnerable to all these as email-borne viruses/worms/trojans # Added .ade, .adp, .bas, .cpl, .crt, .hlp, .inf, .ins, .isp, .lnk, .mdb, # .mde, .msc, .msi, .msp, .mst, .pcd, .reg, .sct, .shs, .url, .vb, and .wsc # due to: # http://support.microsoft.com/support/kb/articles/q262/6/31.asp?LN=EN-US&SD=gn&FR=0 # (As of 2003-08-24, this URL appears dead. Thank you, M$) # Noel Jones supplied the following two informative URLS: # http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631 # http://www.cknow.com/vtutor/vtextensions.htm # For .shs vulnerability, see: http://www.pc-help.org/security/scrap.htm # v2 list: (bat|chm|cmd|com|exe|hta|jse?|pif|scr|sh[bs]|vb[esx]|ws[fh]) # v3 list: Added .asd, .dll, .ocx, .vxd as per Perry E. Metzger # # v4 list: Added .386, .asp, .asx, .bin, .cab, .cgi, .cil, .cpe, .cvp, .eml, # .ex_, .inp, .jar, .keyreg, .mda, .mdw, .mp3, .nte, .nws, .pl, .pm, .pot, # .pps, .slb, .swf, .swt, .sys, .vir, .vmx, .wmd, .wms, .wmz, .xlw, .xms # as per Tim Boyer (tim@denmantire.com) # v5 list: As per "manatworkyes moderator" # in firewall-wizards mailing list on Wed Jan 29 10:31:32 2003, # added: .htr # v6 list: Missed the following in the M$ bulletin: .app, .csh, .fxp, .ksh, # .mdt, .ops, .prg. If .ksh and .csh belong, so does .sh - added. # v7 list: added .dot, extension for M$ Office templates could possibly # contain harmful macros. # v8 list: added .adt, .btm, .cbt, .cla(ss)?, .cs[cs], .drv, .email, .fon, # .ini, .lib, .mht(m|ml)?, .mso, .obj, .ov., .pgm, .smm. Expanded .xlw to # .xl. (Ref: http://www.cknow.com/vtutor/vtextensions.htm) # (.doc, .html?, .ppt, .prc, .rtf not added, but probably should be.) # ("Source" [.asm, .c, .cpp., .pas, .for] seem unlikely to me) # v9 list: added CLSIDs (e.g.: "name.{FBF23B40-E3F0-101B-8488-00AA003E56F8}") # (Complements of Victor Duchovni and Noel Jones) # v10 list: added .cbl # /^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?\.(386|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xl.|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT ".$2" file attachment types not allowed # ".com" handled differently as above lines would catch attachments like # "user@example.com PGP Keys.txt" # "(\.\S{2,4})?(\?=)?"?(;|$)" terminator idea (modified) compliments of # Noel Jones /^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.com(\.\S{2,4})?(\?=)?"?(;|$)/ REJECT ".com" file attachment types not allowed # Disallow message fragmentation, as it will bypass the other tests # Ref: http://www.securiteam.com/securitynews/5YP0A0K8CM.html /^Content-(Disposition|Type):\s+.*?message\/partial\b/ REJECT # Specific virus/worm/trojan attachments that we cannot block by file # type/extension (yet?) # # Sobig.E: your_details|application|document|screensaver|movie # /^Content-(Disposition|Type):\s+.*?(file)?name="?.*?(your_details|application|document|screensaver|movie)\.zip/ REJECT # *Any* zip file: just log a warning... /^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.zip\b/ WARN