[Avcheck] Virus notify
Michael Tokarev
mjt@tls.msk.ru
Wed, 29 May 2002 16:43:00 +0400
Martin Jaggi wrote:
>
> Hi
>
> I've added
>
> /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/ reject
>
> to my body_check file from Postfix, so mostof all klez are rejected before
> they are passed to avcheck.
This will not prevent bounces to unrelated people anyway, but in this
case it's not postfix machine who sends a bounce but a sending machine.
But I'm too added similar regex, while slightly different one:
/^<iframe src=3Dcid:\S+ height=3D0 width=3D0>/ REJECT No IFRAMEs please
/^<FONT>/ REJECT No viruses wanted here
(this is pcre, due to \S; and I don't remember which virus uses this
second silly "<FONT>" construct, there are quite a few such rejects in
my maillog).
[]
> > I have a small problem, cause the big impact of the Klez virus, some of
> > my customers are receiving daily hundreds of mails as if they were
> > infected, but the mails are not real cause the virus klez is supplanting
> > it's email address on other guy, any one have the same problem? have you
> > done any thing about this, or just delete all the mail?
In my `infected' handler, in a part that sends sender notification, there
is a code:
################ send alert to sender
if [ ".$INFORM_SENDER" = .y -o ".$INFORM_SENDER" = .h ] ; then
# check if the message is from any list manager or from special address
if echo "$SENDER" | $EGREPqi \
'(^$|daemon|request|bounce|mailer|postm|owner|lists|words|majordom|experts|\-(return|error))'
then
: # do nothing for special sender addresses
elif sed -e '/^$/q' "$MAIL" | $EGREPqi \
'^((x-)?(loop|(mailing-)?list(name|member)|mailman)|precedence: (bulk|list|junk))'
then
: # do nothing when some special header present
############################# VVV this one VVV #################################
elif [ ".$MSG" = ".infected with Win32.HLLM.Klez.4" ] ; then
: # do nothing when this is a Klez that uses fake sender address
############################# ^^^ this one ^^^ #################################
else
# really send sender virus alert
...
or something like that. The message should be exactly the same as returned by
your virusscanner for this virus, or else [] test will fail. The above is
for DrWeb. Maybe it is better to use `case' statement, or
echo ".$MSG" | $EGREPqi klez
but the "idea" is the same: do not send sender notification/bounce if there is
a klez or other similar virus.
/mjt