This patch against netqmail-1.05 blocks the W32/Sober-G worm already at SMTP level.
This patch should also work with qmail-1.03 without any problems.
The worm uses a special scheme that can be identified in the SMTP dialog:
HELO username.tld
MAIL FROM: <username@domain.tld>
or a bit more formal
if (mailfrom.domain == helohost) ok
else if (mailfrom.user"."mailfrom.tld == helohost) reject
As you can see one has to exclude the case
HELO example.com
MAIL FROM: <example@example.com>
which is used quite frequently for valid emails.
if the environment variable NOSOBERG is set the check is deactivated.
The error message presented to the remote side on the RCPT TO command is
550 sorry, we do not accept virus emails (#5.7.1)
installation:
- download the patch below
- copy the patch to subdir netqmail-1.05 of the directory with the unpacked netqmail-1.05 tarball
- apply the patch with the command
# patch < sober-g.patch
- recompile and reinstall qmail
(it should be sufficient to copy over qmail-smtpd after recompilation, so a
# mv /var/qmail/bin/qmail-smtpd /var/qmail/bin/qmail-smtpd.nosober
# cp qmail-smtpd /var/qmail/bin/qmail-smtpd
should also work. In that case you don't need to shutdown qmail and restart it after the new installation and you have a backup copy of qmail-smtpd)
download:
Back to my qmail page.
| 
