[Mimedefang] Filtering new Mirosoft virus email ...

Cormack, Ken kcormack at acs.roadway.com
Wed Sep 24 08:41:58 EDT 2003 

I forgot to mention...

Changes to the subjects_part and subjects_full can be made on-the-fly, and
no restart of sendmail or MIMEDefang is needed for newly-added subjects to
take effect.

Ken

-----Original Message-----
From: Cormack, Ken 
Sent: Wednesday, September 24, 2003 8:39 AM
To: 'mimedefang at lists.roaringpenguin.com'
Subject: RE: [Mimedefang] Filtering new Mirosoft virus email ...


> I was wondering if someone could tell me how I could DROP
> an entire email if a certain phrase was in the "subject" of the email.
>
> eg I want to filter any emails that have a subject of this: 
        
>       Fwd: Current Net Security Patch

> Hope someone can help with this.

Justin,

We use the following rule, in sendmail (rather than in the milter), and it
works great.  Add this snippet of code to your sendmail.mc, and then use m4
to rebuild your .cf file (then keep reading, for more details on how to set
it up).  Be careful when adding this to your config... it is TAB-sensitive.
(I've indicated tabs with [TAB])

LOCAL_RULESETS
######################################################################
###
###  Add exact-match subject lines to /etc/mail/subjects_full
###  Add substrings to match in subject lines to /etc/mail/subjects_part
###  In both files, all spaces MUST be replaced with periods (.)
###
###  Create two files called /etc/mail/subjects_full and
###  /etc/mail/subjects_part.  The former has complete
###  unwanted 'subject' lines, while the latter has only
###  substrings within 'subject' lines.
###
###  As an example, suppose you want to filter out 'viagra'
###  spam.  The following entry in your subjects_part
###  file would do it:
###    viagra
###
###  In the case of multi-word entries, all spaces MUST be
###  replaced with periods.  For example:
###    herbal.viagra
###
###  These filters are not case-sensitive.
###
###  - Added 11 MARCH 2003
###
######################################################################
F{FullSubjects} -o /etc/mail/subjects_full
F{PartSubjects} -o /etc/mail/subjects_part
HSubject:[TAB]$>CheckSubject

SCheckSubject
R$={FullSubjects}$*[TAB]$: REJECTSUBJECT
R$* $={PartSubjects} $*[TAB]$: REJECTSUBJECT
R$* REJECTSUBJECT $*[TAB]$#error $: "553 Access Denied - MSG may contain
SPAM/WORM/VIRUS/HOAX."
######################################################################

Remember to watch for tabs.  The comments at the top of the code explain the
ascii files used to hold your unwanted subject lines.  To help get you
going, I've attached the "subjects_full" and "subjects_part" files that I
use.  My files already include your "Current Net Security Patch" subject
line, as "current.net.security.patch" in the subjects_part file.

On my system, this blocks 2500 - 8000 spams per day, using the attached
subject lists.  They'll show up in your maillog like this recent entry from
my own log this morning...

Sep 24 08:30:06 mail01 sendmail[14393]: h8OCU6mV014393:
ruleset=CheckSubject, arg1=Mystery Shopper - Free Vacation,
relay=some.host.com [XXX.XX.XXX.XX], reject=553 5.0.0 Access Denied - MSG
may contain SPAM/WORM/VIRUS/HOAX.

Hope this helps.  :)

Ken

More information about the MIMEDefang mailing list