Security Incidents mailing list archives
Re: Sendmail.cf Was : RE: NEW VIRUS FOUND
From: David Luyer <david_luyer () PACIFIC NET AU>
Date: Tue, 13 Feb 2001 21:14:20 +1100
[Moderator: Don't approve this if you didn't approve the query]
Hi, Could you please expand on this script?
Not really the right mailing list for sendmail config file help... but;
Alternatively point me to some resources on the sendmail.cf and scripting with it.
http://www.sendmail.org/ should have something.
Do changes to the sendmail.cf file require a recompile of sendmail (redhat rpm 6.2 version)?
No, but you may prefer to put this in sendmail.mc after a LOCAL_RULESETS directive and rebuild sendmail.cf from that if that's how you build your sendmail configs. Or you can just put it directly into sendmail.cf if you don't use sendmail.mc to generate configs.
I've filled in as much as I understand on the section below... Basically I don't understand the H's and the R's and S's -
OK, I've deleted your comments and I'll just put my own in... Note that TAB vs SPACE is _very_ important in sendmail.cf.
If this looks like a stupid question just remember where you were a couple of years back and how little you knew then!!
A couple of years back, well, that'd be 1999 when I wrote a paper which included spam reduction via sendmail rulesets, specifically one example being HX-UIDL: $>RejectIncomingUIDL or similar from memory to stop spammers from deliberately breaking POP servers by inserting fake UIDLs so their message was downloaded every time a client connected (a common practice at the time, I don't have time to look at spam these days unfortunately but I expect it would be still common). Now, a decade back, then I had no idea about sendmail.cf....:-) but I'm sure there are people on this list you could have said "think about a decade back" and they'd say "well, my sendmail.cf was somewhat smaller a decade back, but I still knew how to configure it". Anyway... to try and explain one of the best known config files on Unix to the small extent needed to do simple spam blocking in little typing; A rule is of the format: RPATTERN TAB(s) RESULT TAB(s) COMMENT A space is just any other character. A tab or sequence of tabs is the field separator. If "PATTERN" is matched, the current data is substituted with "RESULT" (or any desired action taken). A $: says to go to the next rule once this is done, a $@ says to return immediately; if neither is present the same rule will be re-evaluated until it isn't matched.
HSubject: $>CheckSubject
H-line (Header): Header "Subject" - divert to ruleset ($>) "CheckSubject".
SCheckSubject
S-line (Ruleset): Here follows ruleset "CheckSubject".
RILOVEYOU $#error $: 553 ILOVEYOU Virus detected
R-line (Rule): If the data matches ILOVEYOU exactly, return with the error
RHere you have, ;o) $#error $: 553 Anna Kournikova virus detected
R-line (Rule): If the data matches Here you have, ;o) exactly, return with the error.
Kchkfrm regex -a@REJ hahaha () sexyfun net
Now here's a virus which was almost fully polymorphic and varied to multiple languages (I saw variants in a couple of languages) but always had the same From: header (although not the same "mail from:" location). So... K-line (define map class) defining a regular expression map, matches are replaced with @REJ by the -a@REJ flag, when the pattern hahaha () sexyfun net is contained. Note that this requires your sendmail to be compiled with regex support - Debian Linux sendmail is already, and default builds on BSD/OS and Solaris support it too, so I'm happy :-)
HFrom: $>CheckFromHeader
H-line (Header): Header "From" - divert to ruleset ($>) "CheckFromHeader"
SCheckFromHeader
S-line (Ruleset): Here follows ruleset "CheckFromHeader"
R$* $: $(chkfrm $1 $)
R-line (Rule): for anything ($* matches anything and is parsed to $1, the first positional parameter), do the following and feed the result to the next rule ($:) [prevents recursion on that rule] - $(chkfrm $1 $), which means look up $1 (the passed in from header) in map chkfrm (the defined map class which is actually a regular expression lookup).
R@REJ $#error $: 553 Some virus detected
R-line (Rule): If the data now matches @REJ, return the error. David. -- David Luyer Phone: +61 3 9674 7525 Senior Network Engineer P A C I F I C Fax: +61 3 9699 8693 Pacific Internet (Australia) I N T E R N E T Mobile: +61 4 1111 2983 http://www.pacific.net.au/ NASDAQ: PCNTF
Current thread:
- Re: Sendmail.cf Was : RE: NEW VIRUS FOUND David Luyer (Feb 13)