[Mimedefang] Dropping Klez -- How to filter?

-ray ray at ops.selu.edu
Fri Jan 31 16:41:01 EST 2003 

        # Check for Klez first -zrd 01/09/03
         if (join("",@{$entity->body}) =~ /TVqQAAMAAAAEAAAA/) {
            md_log('klez_virus', $fname, $type);
            action_quarantine_entire_message('Caught a Klez virus');
            return action_discard();
            }

This is how i'm catching Klez, without a virus scanner in filter. but you
are right that i could not find a way to just discard the entire message.  
It drops the part and quarantine's the entire message.  We need an
action_discard_entire_message function.  Perhaps someone else has a better
idea...

-Ray
-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Ray DeJean  				       	 http://www.r-a-y.org
Systems Engineer                    Southeastern Louisiana University
IBM Certified Specialist  	      AIX Administration, AIX Support
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



On Fri, 31 Jan 2003, James Miller wrote:

> Hi everyone,
> 
> I saw somewhere (thus the reason for this question) a great way to drop, in
> this case, messages with klez and to quarantine everything else.  I
> currently have mimedefang set to quarantine everything, but I'm not
> confident enough to write 'if kelz drop else quarantine'.  If someone could
> share what they do or a link to a URL I'd be most grateful.  I did find
> something on a web site but it didn't seem complete and wasn't what I had
> seen (kicking self for not book marking).
> 
> return action_discard() if $VirusName =~ /klez|bugbear/i;
> 
> How could I work this in to my filter?
> 
> --mimedefang-filter snippet--
> sub filter ($$$$) {
>     my($entity, $fname, $ext, $type) = @_;
> 
> if ($FoundVirus) {
> 	my($code, $category, $action);
> 	$VirusScannerMessages = "";
> 	($code, $category, $action) = entity_contains_virus($entity);
>           md_log('virus',$VirusName, $RelayAddr);
> 	    action_quarantine($entity, "A known virus was discovered and deleted.
> Virus-scanner messages follow:\n$VirusScannerMessages\n\n");
> 	    send_quarantine_notifications();
> 	    return;
> 
> 
> 
> Thank you for your help,
> Jim
> 
> 
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>

More information about the MIMEDefang mailing list