Re: Sendmail vs *.vbs

[mtinberg () MADISON TEC WI US (Mark Tinberg)]

I am using an older version of sendmail that doesn't support Subject: filtering.  I talked with the person who setup 
the box and after an aborted attempt to upgrade we did this:  Set HoldExpensive on for all your mail destinations, so 
that all mail is queued and not immidiately delivered.  Then from a cron job run a script that quarantines any suspect 
mail and flushes the queue.  Script source included below.

#!/bin/bash
#
# Mail Macro virus quarantine script
#
# Written by Mark Tinberg 4 May 2000 (c)
# Licensed under version 2 of the GPL (General
# Public License)
#

# Declare some variables
MAILQ=/var/spool/mqueue
QUARANTINE=$MAILQ/quarantine/
LIST=$QUARANTINE/virus.tmp

# If this script is still running exit
if [ -f /var/lock/subsys/quarantine ] ; then
   echo Lockfile exists:  Are you still running annother copy?
   exit 1
else
   echo $0 > /var/lock/subsys/quarantine
   if [ ! -d $QUARANTINE ] ; then
      mkdir $QUARANTINE
   fi
   touch $LIST
fi

# Kill running sendmail so no mail is delivered while processing
killall -w sendmail

# Find attached files by extention and quarantine suspicious messages
find $MAILQ -maxdepth 1 -name df* -exec egrep -il 'filename=\".*\.(vbs|vbe|wsh|hta|js)\"' {} \; >> $LIST

# Find files with suspicious subject, make a list
find $MAILQ -maxdepth 1 -name qf* -exec egrep -il '^HSubject: (ILOVEYOU|Susitikim)' {} \; >> $LIST

#find $MAILQ -maxdepth 1 -name qf* -exec grep -l "^HSubject: ILOVEYOU" {} \; >> $LIST
#find $MAILQ -maxdepth 1 -name qf* -exec grep -l "^HSubject: Susitikim" {} \; >> $LIST
#find $MAILQ -maxdepth 1 -name qf* -exec grep -l "^HSubject: Joke" {} \; >> $LIST

# If list has a size of 0, must be no files to move
if [ -s $LIST ] ; then
# Read lit and quarantine both qf and df files (qf=header/routing, df=message body)
   mv `cat $LIST | xargs` $QUARANTINE
   mv `cat $LIST | sed "s/df/qf/" | xargs` $QUARANTINE
   mv `cat $LIST | sed "s/qf/df/" | xargs` $QUARANTINE
# Remove tempfile
   cat $LIST
   rm $LIST
fi

# Have sendmail process its queue
/usr/sbin/sendmail -q

# Restart sendmail
/usr/sbin/sendmail -bd

# Remove lockfile
rm /var/lock/subsys/quarantine
> > > Todd Garrison <tgarris () FRAMELOSS ORG> 05/08/00 01:11 AM >>>
I was really bummed when I saw how they did it... I want to be able to
block all *attachments* that have the string .vbs in the name - I don't
want to rely on subject headers alone, but I haven't quite figured out
how yet.  I played with my .mc/.cf configs in sendmail for about six
hours trying to get it to play nice, but the problem seems to be that
all the different mailers describe their attachments differently.  I
must be pretty thick in the head, but the fact that I know others want
to do the same thing and I have yet to see a filter that does it (in
sendmail that is) bums me out.

I could just use procmail, but that only seems to work for local
delivery and is not any good for a relay server (for example - reducing
the risks of running MS-Exchange as the front-line mail exchanger on the
internet by relaying through sendmail).  Maybe I am wrong on this though
- can procmail be configured to process mail that isn't delivered locally?

Any sendmail gurus out there that can help enlighten us lesser beings?

Thanks,
Todd

> Sendmail.com has released a procedure to block the Love letter virus
> that's been nailing a lot of people today.  This works for the
> Unix and NT versions of Sendmail.
>
> http://www2.sendmail.com/loveletter/