[Mimedefang] Dropping e-mails generated by the Sobig Virus

[Ole Craig]

On 08/21/03 at 21:02, 'twas brillig and Jakub Wasielewski scrobe:
[...]
> 
> Hmm... maybe Sobig is a good reason for discard action, but think abo­
> ut having dozen such cases. Now araises the problem to notify the user
> about  sending virus or not to and discard. You could end up with huge
> regexp or something like that making the decision... nasty. As we  all
> agree  it is important to notify sender about virus infection.. if the
> sender is not fake. The perfect solution IMO would be a possibility to
> reject the entire e-mail in the last stage of SMTP dialog, after DATA,
> with "450 Reason of reject". What do you think about that or maybe  it
> is already possible with MD??
> 

	Indeed it is, using action_bounce:
[...]
# this RE should match the names of viruses known to fake sender
# addresses. Add new ones here as they become known. (test by adding
# "eicar" to the list.)
$BounceVirus='(?i)trojan.dropper|klez|bugbear|sobig|yaha|nimda|hybris|braid|fizzer|palyh';

sub filter ($$$$) {
[...]
    if ($FoundVirus) {
	my($code, $category, $action);
	$VirusScannerMessages = "";
	($code, $category, $action) = entity_contains_virus($entity);
	if ($category eq "virus") {
	    if ($VirusName =~ /$BounceVirus/o) {
		md_graphdefang_log('virusbounce',$VirusName, $RelayAddr);
		return action_bounce("rejection: found virus $VirusName");
	    } else {
		md_graphdefang_log('virus',$VirusName, $RelayAddr);
		 return action_quarantine($entity, "A known virus was discovered and deleted.  Virus-scanner messages follow:\n$VirusScannerMessages\n\n");
	    }
		    
	}
    }
[...]
}


		Ole
-- 
Ole Craig * UNIX, linux, SMTP-ninja; news, web; SGI martyr * CS Computing
Facility, UMass * <www.cs.umass.edu/~olc/pgppubkey.txt> for public key
[...] Oh, shed thy mercy and thy grace / On those who venture into space.
			(R. A. Heinlein)