[Avcheck] Virus notify

Michael Tokarev mjt@tls.msk.ru
Wed, 29 May 2002 16:43:00 +0400 

Martin Jaggi wrote:
> 
> Hi
> 
> I've added
> 
> /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/ reject
> 
> to my body_check file from Postfix, so mostof all klez are rejected before
> they are passed to avcheck.

This will not prevent bounces to unrelated people anyway, but in this
case it's not postfix machine who sends a bounce but a sending machine.
But I'm too added similar regex, while slightly different one:

 /^<iframe src=3Dcid:\S+ height=3D0 width=3D0>/ REJECT No IFRAMEs please
 /^<FONT>/ REJECT No viruses wanted here

(this is pcre, due to \S;  and I don't remember which virus uses this
second silly "<FONT>" construct, there are quite a few such rejects in
my maillog).

[]
> > I have a small problem, cause the big impact of the Klez virus, some of
> > my customers are receiving daily hundreds of mails as if they were
> > infected, but the mails are not real cause the virus klez is supplanting
> > it's email address on other guy, any one have the same problem? have you
> > done any thing about this, or just delete all the mail?

In my `infected' handler, in a part that sends sender notification, there
is a code:

################ send alert to sender
if [ ".$INFORM_SENDER" = .y -o ".$INFORM_SENDER" = .h ] ; then
 # check if the message is from any list manager or from special address

 if echo "$SENDER" | $EGREPqi \
  '(^$|daemon|request|bounce|mailer|postm|owner|lists|words|majordom|experts|\-(return|error))'
 then
   : # do nothing for special sender addresses
 elif sed -e '/^$/q' "$MAIL" | $EGREPqi \
  '^((x-)?(loop|(mailing-)?list(name|member)|mailman)|precedence: (bulk|list|junk))'
 then
   : # do nothing when some special header present
############################# VVV this one VVV #################################
 elif [ ".$MSG" = ".infected with Win32.HLLM.Klez.4" ] ; then
   : # do nothing when this is a Klez that uses fake sender address
############################# ^^^ this one ^^^ #################################
 else
   # really send sender virus alert
  ...

or something like that.  The message should be exactly the same as returned by
your virusscanner for this virus, or else [] test will fail.  The above is
for DrWeb.  Maybe it is better to use `case' statement, or

  echo ".$MSG" | $EGREPqi klez

but the "idea" is the same: do not send sender notification/bounce if there is
a klez or other similar virus.

/mjt