[plug] filtering virus infected files
Jason Nicholls
jason at mindsocket.com.au
Mon May 8 11:04:32 WST 2000
Hello,
On Mon, May 08, 2000 at 11:04:52AM +0800, Mike Hasleby wrote:
> With the advent of yet another email virus in the guise of the “love
> bug” last week, am I wrong in suspecting that on our email servers we
> can put in a filter to siphon off message containing a string of text
> in the subject, and redirect it to /dev/null ? Thus eliminating the
> problem of known viruses before they get to their destination.
> Is this possible or am I dreaming?
It's possible. If you join the CERT mailing list they even sent out the
appropriate lines to add to various configs (for sendmail, procmail, etc...).
For convenience I'll post some of them here now:
Sendmail
The following sendmail rule will delete all messages with the Subject:
line ILOVEYOU:
HSubject:[tab][tab][tab]$>Check_Subject
D{MPat}ILOVEYOU
D{MMsg}This message may contain the ILOVEYOU virus
SCheck_Subject
R${MPat} $*[tab]$#error $: 553 ${MMsg}
RRe: ${MPat} $*[tab]$#error $: 553 ${MMsg}
RFW: ${MPat} $*[tab]$#error $: 553 ${MMsg}
Procmail
This procmail rule also deletes any messages with the Subject: line
containing "ILOVEYOU":
:0 D
* ^Subject:[[tab] ]+ILOVEYOU
/dev/null
Hope that helps!
Jason Nicholls
--------------------------------------------------------------------
Jason Nicholls icq: 11745841 email: <jason at mindsocket.com.au>
Proprietor mobile: 0417 410 811
Mind Socket [web services] http://www.mindsocket.com.au/
--------------------------------------------------------------------
More information about the plug
mailing list