[Exim] system wide filter for detect virus

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Andrey Chernomyrdin
Dátum:  
Címzett: exim-users
Tárgy: [Exim] system wide filter for detect virus
Hi!

I write some new rules for detecting viruses in incoming mail (attached).
I use it 3 month together with ftp://ftp.exim.org/pub/filter/system_filter.exim
This rules insert before testing incoming mail for Generic Windows
Executable files in attachment.

may be anybody interesting this rules

Thanks for attention, and sorry for my ugly english.
-- 
With Best,                      | http://www.excom.spb.su/~andrey
     Andrey Chernomyrdin        | mailto:andrey@excom.spb.su 

#
# Content-Type: multipart/mixed; boundary="--VExxxxx"
# virus: I-Worm.HYBRIS
#
    if
        $h_content-type:    contains    "boundary=\"--VE"
    then
        logfile        /var/log/exim/virus.log 640
        logwrite    "$tod_log $message_id Possible I-Worm.HYBRIS virus detected"


        if    not $h_x-resentfrom    is    ""
        then
            mail        to        $h_x-resentfrom
                    cc        postmaster@$qualify_domain
                    bcc        $recipients
                    reply_to    postmaster@$qualify_domain
                    subject        "Re: About possible 'I-Worm.HYBRIS' virus in your letter"
                    text        "You message possible contain virus 'I-Worm.HYBRIS',\n\
                            more information you can find at:\n\n\
                            russian: http://www.viruslist.com/viruslist.asp?id=4251&key=00001000140000100049\n\
                            english: http://www.viruslist.com/eng/viruslist.asp?id=4112&key=00001000130000100044\n\
                            \nand was been freezed by mailing delivery system at $qualify_domain\n"
                    return message
        elif    not error_message
        then
            mail        to        $reply_address
                    cc        postmaster@$qualify_domain
                    bcc        $recipients
                    reply_to    postmaster@$qualify_domain
                    subject        "Re: About possible 'I-Worm.HYBRIS' virus in your letter"
                    text        "You message possible contain virus 'I-Worm.HYBRIS',\n\
                            more information you can find at:\n\n\
                            russian: http://www.viruslist.com/viruslist.asp?id=4251&key=00001000140000100049\n\
                            english: http://www.viruslist.com/eng/viruslist.asp?id=4112&key=00001000130000100044\n\
                            \nand was been freezed by mailing delivery system at $qualify_domain\n"
                    return message
        else
            freeze        text    "Possible I-Worm.HYBRIS virus detected\n\
                        - --<Headers>-- -\n\
                        $message_headers\n\
                        - --</Headers>-- -\n"
        endif
    endif
#
# virus: I-Worm.MTX
#
    if
        $message_body        contains    "==i3.9.0oisdboibsd"
    then
        logfile        /var/log/exim/virus.log 640
        logwrite    "$tod_log $message_id Virus-I-Worm.MTX; \
                from=$sender_address ($sender_host_name [$sender_host_address]); \
                to=$recipients; \
                saved=/var/spool/mail/invalid;"
        save        /var/spool/mail/invalid 600
        mail        to        $reply_address
                cc        postmaster@$qualify_domain
                bcc        $recipients
                reply_to    postmaster@$qualify_domain
                subject        "Re: About 'I-Worm.MTX' virus in your letter"
                text        "You message possible contain virus 'I-Worm.MTX',\n\
                        and was been rejected by mailing delivery system at $qualify_domain\n\
                        Virus description may be found at:\n\n\
                        russian: http://www.viruslist.com/viruslist.asp?id=4206&key=00001000140000100038\n\
                        english: http://www.viruslist.com/eng/viruslist.asp?id=4063&key=00001000130000100034\n"
                return message
        seen finish
    endif
#
#
#