[Mimedefang] virus source report?
Lucas Albers
admin at cs.montana.edu
Tue Aug 10 00:37:19 EDT 2004
Inside the virus scanner program look to see the relay address and then do
an action notify:
in filter_begin:
if ($FoundVirus) {
md_graphdefang_log('virus', $VirusName, $RelayAddr);
md_syslog('warning', "Discarding because of virus $VirusName");
if ($ip =~ /143\.30/ {
action_notify_administrator....
}
return action_discard();
}
Les Mikesell said:
> For some reason we've been getting hit with new virii just ahead of
> their inclusion in the scanner databases recently. Has anyone come
> up with a clever way to parse the logs or another way to quickly
> notice if the first IP in the received headers belongs to your
> own ranges so that after the scanner detects the virus you can
> quickly find internal boxes already infected?
>
> ---
> Les Mikesell
> les at futuresource.com
>
>
>
> _______________________________________________
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>
--
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana
More information about the MIMEDefang
mailing list