Re: CRIME Virus list

From: Tim Kramer (kramert@private)
Date: Wed May 22 2002 - 06:51:15 PDT

  • Next message: Heidi Henry: "Re: CRIME Korean spam & Klez"

    I've done this in the past.  Modifying the Sendmail config works nicely
    for a low level infection or when you have no other recourse.  It
    quickly becomes a horrible solution when you try to filter for all
    viruses with static subject lines.  After I'd included about 50 subject
    lines, I noticed that the server was running slower.  An alternative is
    Milter (which is part of the more recent distributions of Sendmail).  It
    handles the same level of traffic without loading the server as much.
    
    Milter also allows you to do a slew of other things: body checking,
    appending a footer to any message that passes through your server,
    
    If you can spare the $5, pick up a copy of this June 2002's SysAdmin
    magazine.  It has an article on the Perl module Sendmail::Milter which
    should help.  The article has a pointer to a long example:
    
    http://www.megacity.org/software_downloads/spamcheck.milter.txt
    
    The Milter method is capable of modifying/checking messages before they
    are accepted.  If you want to filter them after they've been accepted
    and before they're delivered you may want to consider running an
    instance of Sendmail in queue-only mode and writing a Perl script to
    filter the qf* and df* files and then call another instance of Sendmail
    to deliver the messages that pass the filters. (Have done this also.)
    If you do this, you can throw in features like spam scoring, redirects,
    etc.
    
    As far as a list of subject goes, we build ours from the McAffe and
    Symantec anti-virus websites.  Most of the relevant entries are for the
    viruses with "@mm" at the end of their names.
    
    - Tim Kramer
    
    
    
    
    On Wed, 2002-05-22 at 06:37, Steve Nichols wrote:
    > Anyone know of a list of all virus subject line?
    > 
    > I'm trying to write a sendmail Check_Subject rule to filter the
    > incomming email's.
    > 
    > I can do something like this (it's rough but you should get the idea)
    > 
    > F{Virus}    /var/log/virus
    > 
    > HSubject:               $>Check_Subject
    > D{MPat} R<$={Virus}>
    > D{MMsg}This message may contain a Virus. It has been rejected by our
    > Server.
    > 
    > SCheck_Subject
    > R${MPat} $*             $#error $: 550 ${MMsg}
    > RRe: ${MPat} $*         $#error $: 550 ${MMsg}
    > 
    > But I need a list of all subjects associated with viri.
    > 
    > 
    > Steven Nichols
    > Network and Systems Administrator
    > Internet and NOC Manager
    > 
    > 
    >                    VALLEY INTERNET COMPANY
    >                 1709 NE 27th Street, Suite C
    >                   McMinnville, Oregon 97128
    >            503-565-5030 or 800-909-9078 (toll-free)
    >      "Pay no attention to the folks behind the curtain..."
    >    PGP: www.viclink.com/~steven/steven.nichols.pgp.txt
    > 
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:43:22 PDT