Re: CRIME Virus list

From: Tim Kramer (kramert@private)
Date: Wed May 22 2002 - 06:51:15 PDT

Next message: Heidi Henry: "Re: CRIME Korean spam & Klez"

Previous message: jeffrey: "Re: CRIME Korean spam & Klez"
In reply to: Steve Nichols: "CRIME Virus list"
Next in thread: Mark Wills: "RE: CRIME Virus list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've done this in the past.  Modifying the Sendmail config works nicely
for a low level infection or when you have no other recourse.  It
quickly becomes a horrible solution when you try to filter for all
viruses with static subject lines.  After I'd included about 50 subject
lines, I noticed that the server was running slower.  An alternative is
Milter (which is part of the more recent distributions of Sendmail).  It
handles the same level of traffic without loading the server as much.

Milter also allows you to do a slew of other things: body checking,
appending a footer to any message that passes through your server,

If you can spare the $5, pick up a copy of this June 2002's SysAdmin
magazine.  It has an article on the Perl module Sendmail::Milter which
should help.  The article has a pointer to a long example:

http://www.megacity.org/software_downloads/spamcheck.milter.txt

The Milter method is capable of modifying/checking messages before they
are accepted.  If you want to filter them after they've been accepted
and before they're delivered you may want to consider running an
instance of Sendmail in queue-only mode and writing a Perl script to
filter the qf* and df* files and then call another instance of Sendmail
to deliver the messages that pass the filters. (Have done this also.)
If you do this, you can throw in features like spam scoring, redirects,
etc.

As far as a list of subject goes, we build ours from the McAffe and
Symantec anti-virus websites.  Most of the relevant entries are for the
viruses with "@mm" at the end of their names.

- Tim Kramer

On Wed, 2002-05-22 at 06:37, Steve Nichols wrote:
> Anyone know of a list of all virus subject line?
> 
> I'm trying to write a sendmail Check_Subject rule to filter the
> incomming email's.
> 
> I can do something like this (it's rough but you should get the idea)
> 
> F{Virus}    /var/log/virus
> 
> HSubject:               $>Check_Subject
> D{MPat} R<$={Virus}>
> D{MMsg}This message may contain a Virus. It has been rejected by our
> Server.
> 
> SCheck_Subject
> R${MPat} $*             $#error $: 550 ${MMsg}
> RRe: ${MPat} $*         $#error $: 550 ${MMsg}
> 
> But I need a list of all subjects associated with viri.
> 
> 
> Steven Nichols
> Network and Systems Administrator
> Internet and NOC Manager
> 
> 
>                    VALLEY INTERNET COMPANY
>                 1709 NE 27th Street, Suite C
>                   McMinnville, Oregon 97128
>            503-565-5030 or 800-909-9078 (toll-free)
>      "Pay no attention to the folks behind the curtain..."
>    PGP: www.viclink.com/~steven/steven.nichols.pgp.txt
>

Next message: Heidi Henry: "Re: CRIME Korean spam & Klez"
Previous message: jeffrey: "Re: CRIME Korean spam & Klez"
In reply to: Steve Nichols: "CRIME Virus list"
Next in thread: Mark Wills: "RE: CRIME Virus list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:43:22 PDT