On 06 August 2001, Odhiambo Washington said:
> I am using the snippet (attached in .tgz file so that the filter doesn't
> catch it) in my system_filter. It seems to be doing well in catching the
> worm from what I can see in the log file.
Your Sircam filter looks *very* familiar -- it's almost identical to
mine! Convergent evolution, indeed.
> However I require some help with it so that it e-mails back the sender of
> the infected e-mail with the file that I've specified. Right now it can
> save the infected message if I remove the # but it is not sending the
> e-mail back with the sircam-rejected.txt.
My filter seems to work fine in that regard -- it saves the rejected
message (yikes, that folder is 14 MB after a week of filtering!), it
logs the rejection, and it sends back a custom rejection message with
the original (viral) email tacked on the end. (Or at least the first
100k or so of the viral email.)
Here's my setup. In /etc/exim.conf:
# System filter: this is Nigel Metheringham's filter for rejecting
# mail that looks like a Windows e-mail virus.
message_filter = /etc/exim/system_filter
message_body_visible = 5000
# These are needed so we can save, pipe, or send mail from the
# system filter.
message_filter_file_transport = address_file
message_filter_pipe_transport = address_pipe
message_filter_reply_transport = address_reply
(That first comment is a bit out-of-date, as I have brutally hacked up
Nigel's filter. It was a great starting point, though!)
Here's the relevant snippet from /etc/exim/system_filter (mangled so it
gets past all those Sircam filters out there):
logfile /var/log/exim/rejectlog
[...]
if $header_x-mailer contains "Microsoft Outlook Express" and
($message_body contains "I send you this file ..." or
$message_body contains "I hope you can help me with this ... " or
$message_body contains "I hope you like the file ... " or
$message_body contains "This is the file with the information ...")
then
save /var/spool/mail/reject
logwrite "$tod_log $message_id rejected (SirCam signature)"
logwrite "$tod_log subject: $header_subject"
logwrite "$tod_log recipients: $recipients"
logwrite "$tod_log returned to: $return_path"
mail to $return_path
subject "Mail returned: virus detected"
file /etc/exim/sircam-reject.txt
return message
seen finish
endif
And finally, /etc/exim/sircam-reject.txt is plain text:
This message has been rejected because it matches
the signature of a known e-mail worm (SirCam). This
probably means that your PC has been infected with this
worm; see
http://www.zdnet.com/zdnn/stories/news/0,4586,5094633,00.html
for more information."
This works for me with Exim 3.12 on a Debian 2.2 (stable) system. It
saves, logs, and returns infected emails just fine.
However, it did take me several hours to get it working. One tip: check
your panic log after sending test viral messages; some errors are logged
there. The message_filter_*_transport options in exim.conf are
particularly important.
Greg
--
Greg Ward - software developer gward@???
MEMS Exchange http://www.mems-exchange.org
