Vulnerability Development mailing list archives
Re: Sendmail vs *.vbs
From: mtinberg () MADISON TEC WI US (Mark Tinberg)
Date: Mon, 8 May 2000 09:25:45 -0500
I am using an older version of sendmail that doesn't support Subject: filtering. I talked with the person who setup the box and after an aborted attempt to upgrade we did this: Set HoldExpensive on for all your mail destinations, so that all mail is queued and not immidiately delivered. Then from a cron job run a script that quarantines any suspect mail and flushes the queue. Script source included below. #!/bin/bash # # Mail Macro virus quarantine script # # Written by Mark Tinberg 4 May 2000 (c) # Licensed under version 2 of the GPL (General # Public License) # # Declare some variables MAILQ=/var/spool/mqueue QUARANTINE=$MAILQ/quarantine/ LIST=$QUARANTINE/virus.tmp # If this script is still running exit if [ -f /var/lock/subsys/quarantine ] ; then echo Lockfile exists: Are you still running annother copy? exit 1 else echo $0 > /var/lock/subsys/quarantine if [ ! -d $QUARANTINE ] ; then mkdir $QUARANTINE fi touch $LIST fi # Kill running sendmail so no mail is delivered while processing killall -w sendmail # Find attached files by extention and quarantine suspicious messages find $MAILQ -maxdepth 1 -name df* -exec egrep -il 'filename=\".*\.(vbs|vbe|wsh|hta|js)\"' {} \; >> $LIST # Find files with suspicious subject, make a list find $MAILQ -maxdepth 1 -name qf* -exec egrep -il '^HSubject: (ILOVEYOU|Susitikim)' {} \; >> $LIST #find $MAILQ -maxdepth 1 -name qf* -exec grep -l "^HSubject: ILOVEYOU" {} \; >> $LIST #find $MAILQ -maxdepth 1 -name qf* -exec grep -l "^HSubject: Susitikim" {} \; >> $LIST #find $MAILQ -maxdepth 1 -name qf* -exec grep -l "^HSubject: Joke" {} \; >> $LIST # If list has a size of 0, must be no files to move if [ -s $LIST ] ; then # Read lit and quarantine both qf and df files (qf=header/routing, df=message body) mv `cat $LIST | xargs` $QUARANTINE mv `cat $LIST | sed "s/df/qf/" | xargs` $QUARANTINE mv `cat $LIST | sed "s/qf/df/" | xargs` $QUARANTINE # Remove tempfile cat $LIST rm $LIST fi # Have sendmail process its queue /usr/sbin/sendmail -q # Restart sendmail /usr/sbin/sendmail -bd # Remove lockfile rm /var/lock/subsys/quarantine
Todd Garrison <tgarris () FRAMELOSS ORG> 05/08/00 01:11 AM >>>
I was really bummed when I saw how they did it... I want to be able to block all *attachments* that have the string .vbs in the name - I don't want to rely on subject headers alone, but I haven't quite figured out how yet. I played with my .mc/.cf configs in sendmail for about six hours trying to get it to play nice, but the problem seems to be that all the different mailers describe their attachments differently. I must be pretty thick in the head, but the fact that I know others want to do the same thing and I have yet to see a filter that does it (in sendmail that is) bums me out. I could just use procmail, but that only seems to work for local delivery and is not any good for a relay server (for example - reducing the risks of running MS-Exchange as the front-line mail exchanger on the internet by relaying through sendmail). Maybe I am wrong on this though - can procmail be configured to process mail that isn't delivered locally? Any sendmail gurus out there that can help enlighten us lesser beings? Thanks, Todd
Sendmail.com has released a procedure to block the Love letter virus that's been nailing a lot of people today. This works for the Unix and NT versions of Sendmail. http://www2.sendmail.com/loveletter/
Current thread:
- Sendmail vs *.vbs Todd Garrison (May 07)
- Re: Sendmail vs *.vbs Mariusz Woloszyn (May 08)
- WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Richard Rager (May 11)
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Blue Boar (May 11)
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Daniel S. Otis-Vigil (May 11)
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Richard Rager (May 12)
- WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Richard Rager (May 11)
- Re: Sendmail vs *.vbs Mariusz Woloszyn (May 08)
- Re: Sendmail vs *.vbs Sean A. Walberg (May 08)
- Re: Sendmail vs *.vbs Gert-Jan Hagenaars (May 08)
- Re: Sendmail vs *.vbs Sean A. Walberg (May 08)
- <Possible follow-ups>
- Re: Sendmail vs *.vbs Mark Tinberg (May 08)
- Re: Sendmail vs *.vbs Mariusz Woloszyn (May 08)