[NBLUG/talk] Virus scanning in linux and sendmail.

William L. Thomson Jr. support at obsidian-studios.com
Fri Sep 19 09:50:04 PDT 2003


On Fri, 2003-09-19 at 10:59, Steve Johnson wrote:
> 
> As it is now when a new virus/worm/trojan comes out I just write a 
> procmail filter to send it to the bit bucket.

One way to do what you currently are but at a lower level is to do the
filtering with Sendmail. I am new at this and I got some of the code
below from a fellow LUGer. I must create rules myself, but this at least
stops the email before it has a chance to enter my network, waste
bandwidth or disk space.

Add the following to your sendmail.mc file and rebuild the sendmail.cf
file. If you are using RH simply restarting sendmail will do this for
you. Not sure if other distros will or not.

#
#  SoBig virus
#
HSubject:                       $>Check_Subject
D{MPat}Your Details
D{MMsg}This message may contain the SoBig virus.
                                                                              
SCheck_Subject
R${MPat} $*                     $#error $: 550 ${MMsg}
                                                                              
HSubject:                       $>Check_Subject
D{MPat}Thank You!
D{MMsg}This message may contain the SoBig virus.
                                                                              
SCheck_Subject
R${MPat} $*                     $#error $: 550 ${MMsg}
RRe: ${MPat} $*                 $#error $: 550 ${MMsg}
                                                                              
HSubject:                       $>Check_Subject
D{MPat}Details
D{MMsg}This message may contain the SoBig virus.
                                                                              
SCheck_Subject
RRe: ${MPat} $*                 $#error $: 550 ${MMsg}

HSubject:                       $>Check_Subject
D{MPat}My Details
D{MMsg}This message may contain the SoBig virus.
                                                                              
SCheck_Subject
RRe: Re: ${MPat} $*             $#error $: 550 ${MMsg}
                                                                              
HSubject:                       $>Check_Subject
D{MPat}Approved
D{MMsg}This message may contain the SoBig virus.
                                                                              
SCheck_Subject
RRe: ${MPat} $*                 $#error $: 550 ${MMsg}
                                                                              
HSubject:                       $>Check_Subject
D{MPat}Your Application
D{MMsg}This message may contain the SoBig virus.
                                                                              
SCheck_Subject
RRe: ${MPat} $*                 $#error $: 550 ${MMsg}
                                                                                                                                                            
HSubject:                       $>Check_Subject
D{MPat}Wicked screensaver
D{MMsg}This message may contain the SoBig virus.
                                                                              
SCheck_Subject
RRe: ${MPat} $*                 $#error $: 550 ${MMsg}
                                                                              
HSubject:                       $>Check_Subject
D{MPat}That movie
D{MMsg}This message may contain the SoBig virus.
                                                                              
SCheck_Subject
RRe: ${MPat} $*                 $#error $: 550 ${MMsg}
                                                                              

#
#  Antrax Info virus
#
HSubject:                       $>Check_Subject
D{MPat}Antrax Info
D{MMsg}This message may contain the Antrax Info virus.
                                                                              
SCheck_Subject
R${MPat} $*                     $#error $: 550 ${MMsg}
RRe: ${MPat} $*                 $#error $: 550 ${MMsg}
RFW: ${MPat} $*                 $#error $: 550 ${MMsg}
                                                                              
#
# I Love You virus
#
HSubject:                       $>Check_Subject
D{MPat}ILOVEYOU
D{MMsg}This message may contain the LoveLetter virus.
                                                                              
SCheck_Subject
R${MPat} $*                     $#error $: 550 ${MMsg}
RRe: ${MPat} $*                 $#error $: 550 ${MMsg}
RFW: ${MPat} $*                 $#error $: 550 ${MMsg}

#
# SirCam trap
# http://maclux-rz.uibk.ac.at/~maillists/focus-virus/msg00604.shtml
#
HContent-Disposition:           $>Check_Content_Disposition_Header
D{SircamPAT}Multipart message
D{SircamPAT2}message text
                                                                                           
SCheck_Content_Disposition_Header
R${SircamPAT} $*                $#error $: 553 This message may contain the SIRCAM virus!
R${SircamPAT2} $*               $#error $: 553 This message may contain the SIRCAM virus!


>   It would be nice to get 
> something that gets virus image updates and knows about all the viruses 
> that I don't know about. =)

It would be great if there was a way to automate the above. However for
the most part I am happy with the results.
-- 
Sincerely,
William L. Thomson Jr.
Support Group
Obsidian-Studios, Inc.
http://www.obsidian-studios.com




More information about the talk mailing list