Re: Sendmail.cf Was : RE: NEW VIRUS FOUND

[David Luyer <david_luyer () PACIFIC NET AU>]

[Moderator: Don't approve this if you didn't approve the query]

> Hi,
> Could you please expand on this script?

Not really the right mailing list for sendmail config file help... but;

> Alternatively point me to some
> resources on the sendmail.cf and scripting with it.

http://www.sendmail.org/ should have something.

> Do changes to the sendmail.cf file require a recompile of sendmail (redhat
> rpm 6.2 version)?

No, but you may prefer to put this in sendmail.mc after a LOCAL_RULESETS
directive and rebuild sendmail.cf from that if that's how you build your
sendmail configs.  Or you can just put it directly into sendmail.cf if
you don't use sendmail.mc to generate configs.

> I've filled in as much as I understand on the section below... Basically I
> don't understand the H's and the R's and S's -

OK, I've deleted your comments and I'll just put my own in...

Note that TAB vs SPACE is _very_ important in sendmail.cf.

> If this looks like a stupid question just remember where you were a couple
> of years back and how little you knew then!!

A couple of years back, well, that'd be 1999 when I wrote a paper which
included spam reduction via sendmail rulesets, specifically one example
being HX-UIDL: $>RejectIncomingUIDL or similar from memory to stop spammers
from deliberately breaking POP servers by inserting fake UIDLs so their
message was downloaded every time a client connected (a common practice at
the time, I don't have time to look at spam these days unfortunately but
I expect it would be still common).  Now, a decade back, then I had no idea
about sendmail.cf....:-) but I'm sure there are people on this list you
could have said "think about a decade back" and they'd say "well, my
sendmail.cf was somewhat smaller a decade back, but I still knew how to
configure it".

Anyway... to try and explain one of the best known config files on Unix to
the small extent needed to do simple spam blocking in little typing;

A rule is of the format:

RPATTERN TAB(s) RESULT TAB(s) COMMENT

A space is just any other character.  A tab or sequence of tabs is the
field separator.

If "PATTERN" is matched, the current data is substituted with "RESULT"
(or any desired action taken).  A $: says to go to the next rule once
this is done, a $@ says to return immediately; if neither is present the
same rule will be re-evaluated until it isn't matched.

> > > HSubject: $>CheckSubject

H-line (Header): Header "Subject" - divert to ruleset ($>) "CheckSubject".

> > > SCheckSubject

S-line (Ruleset): Here follows ruleset "CheckSubject".

> > > RILOVEYOU           $#error $: 553 ILOVEYOU Virus detected

R-line (Rule): If the data matches ILOVEYOU exactly, return with the error

> > > RHere you have, ;o) $#error $: 553 Anna Kournikova virus detected

R-line (Rule): If the data matches Here you have, ;o) exactly, return with
the error.

> > > Kchkfrm regex -a@REJ hahaha () sexyfun net

Now here's a virus which was almost fully polymorphic and varied to multiple
languages (I saw variants in a couple of languages) but always had the same
From: header (although not the same "mail from:" location).  So...

K-line (define map class) defining a regular expression map, matches are
replaced with @REJ by the -a@REJ flag, when the pattern hahaha () sexyfun net
is contained.  Note that this requires your sendmail to be compiled with
regex support - Debian Linux sendmail is already, and default builds on
BSD/OS and Solaris support it too, so I'm happy :-)

> > > HFrom: $>CheckFromHeader

H-line (Header): Header "From" - divert to ruleset ($>) "CheckFromHeader"

> > > SCheckFromHeader

S-line (Ruleset): Here follows ruleset "CheckFromHeader"

> > > R$* $: $(chkfrm $1 $)

R-line (Rule): for anything ($* matches anything and is parsed to $1, the
first positional parameter), do the following and feed the result to the
next rule ($:) [prevents recursion on that rule] - $(chkfrm $1 $), which
means look up $1 (the passed in from header) in map chkfrm (the defined
map class which is actually a regular expression lookup).

> > > R@REJ       $#error $: 553 Some virus detected

R-line (Rule): If the data now matches @REJ, return the error.

David.
--
David Luyer                                        Phone:   +61 3 9674 7525
Senior Network Engineer        P A C I F I C       Fax:     +61 3 9699 8693
Pacific Internet (Australia)  I N T E R N E T      Mobile:  +61 4 1111 2983
http://www.pacific.net.au/                         NASDAQ:  PCNTF