[nycbug-talk] Postfix filter for Exchange

Thu Jul 27 12:40:05 EDT 2006

N.J. Thomas wrote:
> * Pete Wright <pete at nomadlogic.org> [2006-07-27 11:31:12 -0400]:
>> So, to help us out with this I am going to propose putting a Postfix
>> filter infront of the exchange server to kill these mail bombs before
>> they take down exchange.
> 
> We do this exact thing. We were hit with a virus/worm back in December
> (W32/Sober.AA at m). We weren't sending anything out, but someone spoofed
> our domain and we got hundreds of thousands of bounces.
> 
> Since the worm mailed out using standardized headers, the solution was
> to put some simple Postfix header checks in of the form:
> 
>     /^Subject:.*Fw: DSC-00465.jpg/ DISCARD
>     /^Subject:.*Fw: Funny :)/      DISCARD
>     /^Subject:.*Fw: Picturs/       DISCARD

And this is for nimda.. .

#anti nimda and friends
/^Content-Type:
multipart\/related;.*type=\"multipart\/alternative\";.*boundary=\"====_ABC1234567890DEF_====\".*$/
REJECT (and then our dumb notes. . .)

> 
> This worked, it was extremely fast and we never had any problems with
> the worm after putting it in. I seriously believe that had Postfix not
> been there to throw this garbage away, our corporate mail infrastructure
> would not have been left standing with Exchange alone (one of the most
> braindead pieces of software I have had the misfortune to admin in my
> short life -- if you ever want to amuse yourself, search the web and see
> how so called "Windows Experts" recommend taking backups for Exchange
> mailboxes).
> 
> The Postfix after-queue and before-queue content filters are also very
> useful -- they give you full control over filtering, albeit at the cost
> of some performance.
> 
>> Has anyone implemented such a solution for a highvolume mailserver, if
>> so any caveat's i should be looking out for?
> 
> Drop me a note if you run into any problems, it is fairly straight
> forward though. We set up virtual users whose mail forward to the actual
> Exchange mailboxes. Exchange is set up to recognize and receive mail for
> them. It is a little kludgy, but it works.

The one thing I'd add though, is that it's certainly better to start big
picture. . .

1.  Most mail bombers come from IPs without pretty mx reverse lookups,
and very unlikely PTRs. .. So definitely start with that.

2.  The MUA's they use are relatively predictable

Starting with the subject and such is really last resort for specific
outbreaks to me. . .

Especially if it's a mail gateway, take care of the sloppy stuff first.
 Not that MS Exchange is going to deal well with anything at all. ..

g