Does this site look plain?

This site uses advanced css techniques

[postfix logo] The W32.Sobig.F@mm virus is running around like mad now, and I am amazed how little sense people have with respect to opening attachments.

We've been running PostFix for some time now, and it's straightforward to reject emails at the front door that have are likely infected with this virus. It's a hack, but for sites that don't have savvy users (or sites that relay for others), it may prove helpful.

Our examples all assume Postfix 2.x planted in the /etc/postfix directory. I'm not at all sure this is an optimal solution.

Create/update the header_checks file

The /etc/postfix/header_checks file contains a list of patterns and actions, and they're applied to each message that goes through Postfix. The action can be to ACCEPT (accept and deliver the message normally), REJECT (bounce the mail with an error message), or DISCARD (just drop the message after receipt).

Both DISCARD and REJECT messages are saved in the logfiles, which can be useful for statistics gathering, but the messages won't necessarily be the same: REJECT ought to be a bit more verbose: 

/^Subject:.Re:.Approved/ REJECT Likely SOBIG.F Virus - temp fix - change your subject

-or-

/^Subject:.Re:.Approved/ DISCARD Likely SOBIG.F Virus

Since virus messages have forged sender addresses, using REJECT will cause a bounce to be sent to an innocent victim, so this suggests using DISCARD instead. But keep in mind that this will throw away valid mail too, so one has to weigh the chance of quietly dropping a few valid emails versus the benefit of the reduced traffic in viruses.

We have chosen to use DISCARD for everything, though it's certainly possible to REJECT more "likely" subject lines, such as "Thank you!". And at some point in the future, when the virus seems to be less rampant, all the actions can be changed to REJECT.

Covering all the subject lines used by the virus, we see this pattern in the header_checks file: 

/^Subject:.Re:.Approved/           DISCARD Likely SOBIG.F Virus
/^Subject:.Re:.Details/            DISCARD Likely SOBIG.F Virus
/^Subject:.Re:.Re:.My.details/     DISCARD Likely SOBIG.F Virus
/^Subject:.Re:.My.details/         DISCARD Likely SOBIG.F Virus
/^Subject:.Re:.Thank.you!/         DISCARD Likely SOBIG.F Virus
/^Subject:.Re:.That.movie/         DISCARD Likely SOBIG.F Virus
/^Subject:.Re:.Wicked.screensaver/ DISCARD Likely SOBIG.F Virus
/^Subject:.Re:.Your.application/   DISCARD Likely SOBIG.F Virus
/^Subject:.Thank.you!/             DISCARD Likely SOBIG.F Virus
/^Subject:.Your.details/           DISCARD Likely SOBIG.F Virus

The pattern on the left apparently may not have any spaces, so we've simply put dots (which match anything) as placeholders.

NOTE - Postfix 1.x doesn't seem to support DISCARD in the header_checks file, so you're left with REJECT.

Enable header_checks in main.cf

The presence of the header_checks file is not enough: Postfix must be told to use it. This is done in the main.cf file with this directive: 

header_checks = regexp:/etc/postfix/header_checks

Once in place, Postfix must be reloaded for it to take effect: 

# postfix reload

Now Postfix will start rejecting mail with the given subject lines.

It's not clear when this should be removed: presumably watching the logfiles can show when the infection is tapering off.

Thanks to james -at- daa dot com dot au for the suggestion to use DISCARD instead of REJECT to avoid sending bounces to the forged senders.