[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Fwd: Undelivered Mail Returned to Sender



On Fri, 2004-06-04 at 11:23, Arjen de Korte wrote:
> As a side note, it is easy to drop this particular virus by using the Postfix 
> 'smtpd_helo_restrictions' to drop all hosts claiming to be from within your 
> own domain, which you know, are not.

smtpd_delay_reject = no
smtpd_sender_restrictions =
hash:/etc/postfix/access,reject_unknown_sender_domain
smtpd_client_restrictions = 
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = no
smtpd_recipient_restrictions =
            reject_invalid_hostname,
            reject_non_fqdn_hostname,
            reject_non_fqdn_sender,
            reject_non_fqdn_recipient,
            reject_unknown_sender_domain,
            reject_unknown_recipient_domain,
            permit_mynetworks,
            reject_unauth_destination,
            permit
smtpd_data_restrictions =
            reject_unauth_pipelining,
            permit

Couple of lines out of my postfix main.cf file.

These lines alone have stopped almost 60% of inbound SPAM attempts, as
well as reducing virii threats by huge percentages.

I tries the strict_rfc821_envelopes = yes, but found that so many MTA's
are configured poorley that too much legitimate mail was bouncing :(

Thats Postfix, lightweigt, simple to configure, and flexible.

B

> 
> ----------  Forwarded Message  ----------
> 
> Subject: Undelivered Mail Returned to Sender
> Date: Friday 04 June 2004 10:20
> From: MAILER-DAEMON@xxxxxxx (Mail Delivery System)
> To: suse-security@xxxxxxxxxxxx
> 
> This is the Postfix program at host hermes.suse.de.
> 
> I'm sorry to have to inform you that the message returned
> below could not be delivered to one or more destinations.
> 
> For further assistance, please send mail to <postmaster>
> 
> If you do so, please include this problem report. You can
> delete your own text from the message returned below.
> 
> 			The Postfix program
> 
> <25866@xxxxxxx>: unknown user: "25866"
> 
> -------------------------------------------------------
> 
> Encapsulated message
> 
> Received: from scanhost.suse.de (scanhost.suse.de [10.0.0.5])
>         by hermes.suse.de (Postfix) with ESMTP id 85C238C9D
>         for <25866@xxxxxxx>; Fri,  4 Jun 2004 10:20:20 +0200 (CEST)
>  Received: by scanhost.suse.de (Postfix, from userid 0)
>         id 7B27951E5F; Fri,  4 Jun 2004 10:20:20 +0200 (CEST)
>  Delivered-To: virus-quarantine
>  X-Quarantine-id: <virus-20040604-101415-03775-17>
>  Received: from Cantor.suse.de (cantor.suse.de [195.135.220.2]) (using TLSv1 
> with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate 
> requested)
>         by hermes.suse.de (Postfix) with ESMTP id 953E669115
>         for <25866@xxxxxxx>; Fri,  4 Jun 2004 10:13:46 +0200 (CEST)
>  Received: from suse.de (pD951F606.dip.t-dialin.net [217.81.246.6])
>         by Cantor.suse.de (Postfix) with ESMTP id 4B95668F3BE
>         for <25866@xxxxxxx>; Fri,  4 Jun 2004 10:13:32 +0200 (CEST)
>  From: suse-security@xxxxxxxxxxxx
>  To: 25866@xxxxxxx
>  Subject: Re: Your music
>  Date: Fri, 4 Jun 2004 10:26:56 +0200
>  MIME-Version: 1.0
>  Content-Type: text/plain; charset="us-ascii"
>  Message-Id: <20040604081332.4B95668F3BE@xxxxxxxxxxxxxx>
>  X-AMaViS-Alert: INFECTED, message contains virus: Worm.SomeFool.Gen-1
>  X-Converted-To-Plain-Text: from multipart/mixed by demime 1.1d
>  X-Converted-To-Plain-Text: Alternative section used was text/plain
>  
> Please have a look at the attached file.
> 
> [the SUSE virus scanner removed an attachment of type application/octet-stream 
> which had a name of mp3music.pif]
> [if you need the message in its original form including all attachments, 
> please ask the SENDER for a version free of viruses]
> 
> End of encapsulated message


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here