[Mimedefang] Filtering new Mirosoft virus email ...
James Smith
sysadmin at aims.gov.au
Wed Sep 24 09:36:01 EDT 2003
> -----Original Message-----
> From: Justin Hennessy [mailto:jhennessy at mitchamcouncil.sa.gov.au]
> Sent: Wednesday, 24 September 2003 9:55 AM
>
> I was wondering if someone could tell me how I could DROP an
> entire email if a certain phrase was in the "subject" of the email.
Firstly, my apologies for such a long email, I tend to ramble on :). The
following is a cut down piece of code from a filter I am currently testing
which will expand on testing for just a single subject as per the example
Jim McCullars gave earlier, allowing you to grow your "Bad Subjects" list
easily. The full filter I'm developing was based on an idea that I got from
some code David (kudos David) posted a few days back with reference to
Greylisting, and in fact most of the code has been plagiarised from David's
original. It's not quite complete but it's at a stage where it may be useful
to others and I'm happy to share it if anyone finds it remotely useful. The
idea in a nutshell is, each time an email is found to have a virus infected
or bad attachment type, the relay is automatically added to a database of
suspect relays. Each time an email arrives, the filter checks to see if the
relay is listed in the suspect relay database and also checks the subject
against another database of "known worm subjects" if a match is found in
both databases the mail is discarded before each part is processed,
hopefully offering some performance gains.
This is really meant for those of you that quarantine messages with bad
attachment types so that a user may request it should it turn out to be a
legitimate email, and works on the premise that if an email was found to
have a bad attachment previously and a subsequent email from the same relay
has one of the "known worm subjects" then it's fairly safe to assume we can
discard it without having to process the message any further, and without
sending any further quarantine messages to the user. This prevents your
users getting multiple quarantine messages for emails which to them appear
to be from multiple sources but which are in fact from the same "sender
spoofing worm" infected host. The upshot here is you no longer get phone
calls from you users asking "WTF is going on here??" when they open they're
email in the morning to find a mass of quarantine messages for bad
attachment types.
Anyway, as I mentioned if anyone is interested I will be happy to post the
full code here, I'm sure a lot of you can expand on what I post here to do
just that anyway. Here is the cut down code to just check the incoming
mail's subject against a database, and below that a short script to help
manage the "known worm subjects" database.
#***********************************************************************
# Bad subject filtering
#***********************************************************************
use DB_File;
use Fcntl ':flock';
$SUBDBFilename = "/var/spool/MIMEDefang/worm_subjects.db";
sub lock_subdb() {
open(LOCKFILE, ">>$SUBDBFilename.lock") or return 0;
flock(LOCKFILE, LOCK_EX);
return 1;
}
sub unlock_subdb {
flock(LOCKFILE, LOCK_UN);
close(LOCKFILE);
unlink("$SUBDBFilename.lock");
return 1;
}
sub cannonicalize_subject ($) {
my($email_subject) = @_;
# Remove spaces
$email_subject =~ s/ //g;
return ($email_subject);
}
sub is_worm_subject ($) {
my($subject_line) = @_;
my %subject_hash;
my $can_subject = cannonicalize_subject($subject_line);
lock_subdb();
tie %subject_hash, 'DB_File', $SUBDBFilename, O_RDWR|O_CREAT, 0666,
$DB_HASH;
my $subret = $subject_hash{$can_subject};
untie %subject_hash;
unlock_subdb();
if ($subret) {
return ($subret);
}
return (0);
}
sub filter_begin {
if (is_worm_subject($Subject)) {
md_syslog("info", "Infected Relay/Worm Subject match..
discarding email");
return action_discard();
}
# ... The rest of filter begin here
}
#************End of filter**************************
#************************************************************************
# Name: add_worm_subject.pl
# Description: Adds a subject to the worm_subjects.db database.
# Syntax: add_worm_subject.pl SubjectString WormDefinition
# Example: add_worm_subject.pl "Fwd: Current Net Security Patch" W32/Swen
#************************************************************************
#!/usr/bin/perl
use DB_File;
use Fcntl ':flock';
$SUBDBFilename = "/var/spool/MIMEDefang/worm_subjects.db";
sub lock_subdb() {
open(LOCKFILE, ">>$SUBDBFilename.lock") or return 0;
flock(LOCKFILE, LOCK_EX);
return 1;
}
sub unlock_subdb {
flock(LOCKFILE, LOCK_UN);
close(LOCKFILE);
unlink("$SUBDBFilename.lock");
return 1;
}
sub cannonicalize_subject ($) {
my($email_subject) = @_;
# Remove spaces
$email_subject =~ s/ //g;
return ($email_subject);
}
sub add_worm_subject ($$) {
my($subject,$worm) = @_;
my %subhash;
$subject = cannonicalize_subject($subject);
lock_subdb();
tie %subhash, 'DB_File', $SUBDBFilename, O_RDWR|O_CREAT, 0666,
$DB_HASH;
$subhash{$subject} = $worm;
untie %subhash;
unlock_subdb();
return ("Added $subject to database");
}
if ($ARGV[0] eq "") {
die "Usage: add_worm_subject.pl SUBJECT WORM\n";
}
my $result = add_worm_subject($ARGV[0], $ARGV[1]);
print "$result\n";
#*************End of add_worm_subject.pl****************
Obviously it's important with a filter like this you run the risk of
defining subjects that legitimate emails may use, inadvertantly discarding
them, so you'll have to be careful. This is why I went the step further and
added the relay matching as well, which whilst there's still a remote chance
an infected host may send a real email with one of the "known worm subjects"
I'm willing to take that chance. Most of the anti-virus vendors list the
subjects a discovered worm is capable of using, so it's a simple matter of
adding those possible when a new worm hits the wild. It would probably pay
to periodically purge or delete the databases also to keep them small so as
not to impact performance.
I hope this is helpful to someone out there.
Regards
James
><> ><> ><> ><> ><> ~~~~~ <>< <>< <>< <>< <><
Systems Administrator
Australian Insitute of Marine Science
Townsville, FNQ, Australia
Phone +61 7 4753 4400 Fax +61 7 4772 5852
Email: sysadmin at aims.gov.au
><> ><> ><> ><> ><> ~~~~~ <>< <>< <>< <>< <><
More information about the MIMEDefang
mailing list