[Mimedefang] Dropping e-mails generated by the Sobig Virus
Ole Craig
olc at cs.umass.edu
Thu Aug 21 15:27:00 EDT 2003
On 08/21/03 at 21:02, 'twas brillig and Jakub Wasielewski scrobe:
[...]
>
> Hmm... maybe Sobig is a good reason for discard action, but think abo
> ut having dozen such cases. Now araises the problem to notify the user
> about sending virus or not to and discard. You could end up with huge
> regexp or something like that making the decision... nasty. As we all
> agree it is important to notify sender about virus infection.. if the
> sender is not fake. The perfect solution IMO would be a possibility to
> reject the entire e-mail in the last stage of SMTP dialog, after DATA,
> with "450 Reason of reject". What do you think about that or maybe it
> is already possible with MD??
>
Indeed it is, using action_bounce:
[...]
# this RE should match the names of viruses known to fake sender
# addresses. Add new ones here as they become known. (test by adding
# "eicar" to the list.)
$BounceVirus='(?i)trojan.dropper|klez|bugbear|sobig|yaha|nimda|hybris|braid|fizzer|palyh';
sub filter ($$$$) {
[...]
if ($FoundVirus) {
my($code, $category, $action);
$VirusScannerMessages = "";
($code, $category, $action) = entity_contains_virus($entity);
if ($category eq "virus") {
if ($VirusName =~ /$BounceVirus/o) {
md_graphdefang_log('virusbounce',$VirusName, $RelayAddr);
return action_bounce("rejection: found virus $VirusName");
} else {
md_graphdefang_log('virus',$VirusName, $RelayAddr);
return action_quarantine($entity, "A known virus was discovered and deleted. Virus-scanner messages follow:\n$VirusScannerMessages\n\n");
}
}
}
[...]
}
Ole
--
Ole Craig * UNIX, linux, SMTP-ninja; news, web; SGI martyr * CS Computing
Facility, UMass * <www.cs.umass.edu/~olc/pgppubkey.txt> for public key
[...] Oh, shed thy mercy and thy grace / On those who venture into space.
(R. A. Heinlein)
More information about the MIMEDefang
mailing list