[Mimedefang] Validate users before scanning? + Idea...

Paul Whittney pwhittney at net.arrivetech.com
Wed May 4 11:39:30 EDT 2005 

Tina,

I suppose you could get mimedefang to open up the virtualUsers.db
file from sendmail before the virus scanner runs. I've seen code
snips from others that open the db files and use the data. Just a
thought. Not sure how useful it is.

Not sure if this is on topic or not...

With one group of servers I just dont have the power to run AV code
on them, nor do I want to uncompress every zip file to test for
files (anyway, our software guys still need to send .exe's, and
via zip files is the only way left to them, due to my rules), so
I'm matching on the attachments Base64 coding in sub filter.
I think there's a copy of my ziptest code around somewhere, but
grab the first line of $entity->body() and if it matches
 UEsDBAoAAAAAA.{6}uS6g1MtEAADLRAAAmAA 
flag it as Sober.O (or P... or whatever the code is). As it seems the
zip files are named differently, but the .exe or .pif starts with the
same name in the file.

Your decision to quarantine, and replace, or discard.

So far its got 300 hits (on 4000 email names, as the virus has found
multiple addresses, I guess) in the last 24 hours. I get the MIMEDefang
quarantine emails, and so far they all look good. Now, I've isolated 
3 sole IP's that are relaying this data, and added them to the access.db.

Curious on any thoughts, or issues, people see with this.

Best Regards,
	Paul Whittney


On Wed, May 04, 2005 at 08:53:41AM -0500, Tina Marie wrote:
> Thanks to an auto-updating clamAV and mimeDefang, I didn't even
> notice the new Sober.P worm until I noticed my load up a bit
> (from all the scanning).
> 
> It looks to me like most of the ones I'm getting are addressed
> to addresses that sendmail is going to reject in the virtuser
> table.  It seems like a waste to scan these if I was going to
> reject them as NoSuchUser anyway.
> 
> I googled, but I didn't see anything applicable, but that was 
> probably my lack of a sufficiently good search string.  I
> found lots of ways to do it with LDAP, but I just have one 
> machine, and that seems like overkill.
> 
> Is there a way to check, from MimeDefang, that, yes, this
> address is deliverable, before I try to scan it?
> 
> Thanks!
> 
> Tina Marie
> -- 
> http://www.tripacerdriver.com               "...One of the main causes 
> of the fall of the Roman Empire was that, lacking zero, they had no way
> to indicate successful termination of their C programs." (Robert Firth)  
> 
> _______________________________________________
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

More information about the MIMEDefang mailing list