[Postfixbuch-users] Wurm Swen

[Ralf Hildebrandt]

* Jim Knuth <jk at jkart.de>:
> Hallo Postfixbuch-Users,
>   
>  hat jemand schon eine Lösung, die funktioniert, gegen diesen Wurm?

Turns out that the left half matches and can be made more exact
(anchored regexp):

/^b3IAAABBZG1pbgAAAEdFVCBodHRwOi8vd3cyLmZjZS52dXRici5jei9iaW4vY291bnRlci5naWYv/i
        DISCARD ...

The matched string decodes as (^@ is NULL):

        or^@^@^@Admin^@^@^@GET http://ww2.fce.vutbr.cz/bin/counter.gif/

This pattern is 100% effective against SWEN.A and will have extremely
low false positives. To use put at the top of body_checks (above any
whitelist of base64 encoded strings!) and make sure that
body_checks_size_limit = 150000 or more.

If you are running Postfix < 2.0 , I can understand if you choose to
reject it instead (1.1.x and earlier do not have DISCARD).

-- 
Ralf Hildebrandt (Im Auftrag des Referat V a)   Ralf.Hildebrandt at charite.de
Charite Campus Mitte                            Tel.  +49 (0)30-450 570-155
Referat V a - Kommunikationsnetze -             Fax.  +49 (0)30-450 570-916
AIM: ralfpostfix