[Mimedefang] Re: How to discard mail silently when it contains bad attachments

Tue Aug 26 02:11:01 EDT 2003

* John.Mathews at events.wvu.edu <John.Mathews at events.wvu.edu>
> Sobig.f is killing us here. The problem isn't finding and cleaning the
> virus, its sending out all those useless emails that have had the
> virus stripped out. Is there an easy way to have the filters just
> discard the mail if it is found to be infected?

Yes, use the action_discard function to throw out messages identified as
Sobig.F (or any malware that forges the sender address).

sub filter ($$$$) {
  my ($entity, $fname, $ext, $type) = @_;
  return if message_rejected();

  if ($damnable_windows_malware_that_forges_addresses_is_found) {
    action_discard();
    return;
  }
}

One could also look at the logs and figure out Sobig.F infection sources
and blackhole these systems via access_map entries or maybe a firewall
block table (or maybe create a generic RBL service for malware sources?
I have not looked for one...). This cuts down on the work the mail
servers have to do, at the risk of blocking a relay that is forwarding
viruses along with legitimate e-mail. Certain infected systems account
for the majority of malware sources on my servers; e.g. the top 10 at
time of writing:

$ <2003-08-* perl -nle 'if(/,virus,Worm\.Sobig\.F,([^,]+),/) { $count++; $s{$1}++ } END { warn "total: $count from ", scalar keys %s, "\n"; print $s{$_}, " ", $_ for keys %s }' | sort -nr | head -10

total: 6065 from 183
2121 137.53.181.215
530 211.167.66.99
359 128.252.205.129
345 141.161.238.114
192 140.120.209.151
169 216.141.170.62
150 211.160.15.80
137 208.60.180.31
117 216.170.80.90
107 159.226.143.148

Until malware start forging Received headers, one can quarentine malware
and look at the HEADERS file to determine whether the host is a primary
source or a mail relay. Or, have a bit in mimedefang-filter log the
appropriate data about Received headers in the message for parsing.

<rant> The existance of Microsoft products on the Internet pretty
much forces every responsible mail administrator to spend time and
money installing and managing anti-virus software. I will also
gladly sacrifice remote SMTP via STMP AUTH or STARTTLS to prevent
random Windows boxes from being able to reach everything on the
Internet via port 25.