[Mimedefang] Code snippet to drop nuisance virus
John Gunkel
jgunkel at palliser.ca
Wed Sep 3 19:26:02 EDT 2003
Hi!
I guess I have been lurking around the list archives for almost a year
now, so I thought it's about time I subscribe and contribute something
back.
I remember seeing a while back where someone's users were complaining
about the number of Klez (Sobig?) virus notifications they were getting.
I had the same problem. (Execs get kinda whiny when they have to click
too many buttons...) Soooo, I wrote this bit of code which takes care of
it for us.
obWarningThingy: The filter is written to drop the specified messages on
the floor (bad admin! bad!) instead of rejecting them. At least the
messages are logged for review though. (suggestions on how to fix that,
anyone?)
Enjoy!
John
PS: David, I would have just submitted this to the tips page, but it
looks like the script is broken or missing. (at least that's what apache
tells me!)
#####################################################################
# In the beginning....
#Internal Flag...
my ($IsInternal);
#Stupid Virus List...
my( $stupid_viri);
$stupid_viri = '(W32\/Fizzer\.gen|Klez|Bugbear\.b|Sobig)';
#####################################################################
# Somewhere after message_contains_virus is evaluated:
#Is this message from our networks (internal) or from somewhere
else (external)
# need to change this to use sendmails access db
#if ( $RelayAddr =~ "^192\.168\.16\." || $RelayAddr =~
"^205\.bbb\.ccc\." || $RelayAddr =~ "^207\.bbb\.ccc\." ) {
if ( $Sender =~ q/@palliser.ca$/ || $Sender =~ q/@palliser.com$/
) {
$IsInternal=1;
} else {
$IsInternal=0;
}
# This Causes mimedefang drop certain viri (Fizzer, Klez) on the
floor.
if ( $VirusName =~ /$stupid_viri/ ) {
#This contains a Virus.
#We either bounce or quarantine depending if the source
is internal or not.
if ( $IsInternal ) {
#Internal sender. Continue with the rest of the
processing. We will nail the Virus in a sec in the entity checking.
} else {
#Internal Recipient. Quarantine.
md_log('stupid_virus', $VirusName, $type);
return action_discard();
}
}
#####################################################################
# Somewhere after entity_contains_virus is evaluated:
# This Causes mimedefang drop certain viri (Fizzer,
Klez) on the floor.
if ( $VirusName =~ /$stupid_viri/ ) {
md_log('filter_stupid_virus', $VirusName,
$type);
#This contains a Virus.
#We either bounce or drop depending if the
source is internal or not.
if ( $IsInternal ) {
#Internal sender. Continue with the rest
of the processing. We will nail the Virus in a sec.
return action_bounce( "A known virus
($VirusName) was discovered and deleted. Virus-scanner messages
follow:\n :2901: \n$VirusScannerMessages\n\n");
} else {
#Internal Recipient. Drop.
md_log('drop_stupid_virus', $VirusName,
$type);
return action_discard();
}
}
#This contains a Virus.
#We either bounce or quarantine depending if the source
is internal or not.
if ( $IsInternal ) {
#Internal sender. Bounce.
return action_bounce("A known virus ($VirusName)
was discovered and deleted. Please contact the Help Desk for
assistance. Virus-scanner messages follow:\n :2902:
\n$VirusScannerMessages\n\n");
} else {
#Internal Recipient. Quarantine.
return action_quarantine($entity, "A known virus
($VirusName) was discovered and deleted. \nIf you require this
document, please contact $AdminAddress or the sender and arrange an
alternate means of receiving it. \nVirus-scanner messages follow:\n
:2903: \n$VirusScannerMessages\n\n");
}
~~
John Gunkel, RHCE
Webmaster/System Administrator
Palliser Furniture, Ltd.
204-954-7209
jogunkel at palliser.ca
More information about the MIMEDefang
mailing list