[unisog] Sendmail Filter for Sircam

Alex fletchra at post.queensu.ca
Tue Jul 31 15:59:12 GMT 2001


> I am getting a lot of Sircam infected email.  Our email gateway is sendmail,
> but we have no filtering in place.  Does anyone have a pointer to a milter
> for Sircam or information on filtering for this or other rogue email?
we use sendmail and procmail for local delivery, and this is what the main
portion of our procmail recipe looks like (i admit that this isn't the
most beautiful recipe, but it's functional, and that's what i was aiming
for at the time):

you'll note that we save the incoming stuff, just to see how much of it is
coming in, but we do compress it (on one machine, the gzip'd file is well
over 225Mb now, in less than a week).

---8<---
SHELL=/bin/sh
PATH=/bin:/usr/bin
VERBOSE=off
VIR_DIR=/export/spare3

# this should catch 90% of the english sircam worm
# we check the headers and body in it.
:0 HB
*^Content-Type:.*(multipart|attachment)
*^Hi.* How are you
*^I send you this file
*^See you later
| /opt/local/bin/gzip -c >>$VIR_DIR/virii-e.gz

# this should catch 90% of the spanish sircam worm.
# run only if the prior did not run, and check hdr + bdy
:0 EHB
*^Content-Type:.*(multipart|attachment)
*^Hola como estas
*^Te mando este archivo para
*^Nos vemos pronto
| /opt/local/bin/gzip -c >>$VIR_DIR/virii-s.gz

# check the rest of the damned things for possible virus/unusual
# extensions, and only run if the priors did not.
# added 'bak' and 'lnk' jul24/01 - ae
:0 E
*^Content-type: (multipart/mixed|application/octet-stream)
{
  :0 HB
  *^Content-Disposition: (attachment|inline);
  *filename=".*\.(vbs|wsf|vbe|wsh|hta|pif|bat|lnk)"
  {
    SHELL=/bin/sh
    :0 fhbw
    |/usr/bin/sed -e 's/\([nN][aA][mM][eE]=".*\....\)"/\1.txt"/'

    :0 c
    $VIR_DIR/virusmail
  }
}




More information about the unisog mailing list