qmail-smtpd W32/Sober-G block  
This patch against netqmail-1.05 blocks the W32/Sober-G worm already at SMTP level.
This patch should also work with qmail-1.03 without any problems.

The worm uses a special scheme that can be identified in the SMTP dialog:

  HELO username.tld
  MAIL FROM: <username@domain.tld>
or a bit more formal
  if (mailfrom.domain == helohost) ok
  else if (mailfrom.user"."mailfrom.tld == helohost) reject
As you can see one has to exclude the case
  HELO example.com
  MAIL FROM: <example@example.com>
which is used quite frequently for valid emails.

if the environment variable NOSOBERG is set the check is deactivated.

The error message presented to the remote side on the RCPT TO command is

  550 sorry, we do not accept virus emails (#5.7.1)


  • download the patch below
  • copy the patch to subdir netqmail-1.05 of the directory with the unpacked netqmail-1.05 tarball
  • apply the patch with the command
      # patch < sober-g.patch
  • recompile and reinstall qmail
    (it should be sufficient to copy over qmail-smtpd after recompilation, so a

      # mv /var/qmail/bin/qmail-smtpd /var/qmail/bin/qmail-smtpd.nosober
      # cp qmail-smtpd /var/qmail/bin/qmail-smtpd

    should also work. In that case you don't need to shutdown qmail and restart it after the new installation and you have a backup copy of qmail-smtpd)




Back to my qmail page.


Copyright © 1997 Markus 'Maex' Stumpf
created: Tue May 25 20:39:15 CEST 2004
last modified: Tue May 25 20:39:24 CEST 2004