Re: need help filter this stupid virus. Sendmail didnt stop this.

From: J Bacher (jb@jbacher.com)
Date: 06/21/01


Date: Thu, 21 Jun 2001 15:39:38 -0500
To: faSty <fasty@i-sphere.com>
From: J Bacher <jb@jbacher.com>

At 01:08 PM 6/21/2001 -0700, you wrote:
>Yes, I still using /etc/mail/access, seems not work at all, and I will try
>it out with procmail filter today.

If you are using Sendmail, append this to the very end of your
sendmail.cf. It will block the hahaha virus.

######################################################################
#
# Added to Block the Viruses
#
######################################################################

# The format for the rule is
#
# RExactly the thing you want to quote
# You just need enough of a pattern to match.
# Instructional note: Follow these instructions exactly
# The format for the rule is
#
# RExactly the thing you want to quote
#
# No quote marks, no tabs, absolutely nothing in
# parentheses (like this, they're considered comments
# and will be removed before they get to the rules).
# After the exact thing, then a tab, and the $#error.
# Note, the $* matches anything, so it's useful for
# wildcarding. This also scans all messages with
# Subject: headers and invokes a rule, so there is
# a performance hit.

HSubject: $>Check_Subject
D{MPat1}Snowhite and the Seven Dwarfs - The REAL story!
D{MMsg1}This message may contain the Snow White virus.
SCheck_Subject
R${MPat1} $* $#error $: 550 ${MMsg1}
RRe: ${MPat1} $* $#error $: 550 ${MMsg1}

>On Thu, Jun 21, 2001 at 06:08:35PM +0300, Giorgos Keramidas wrote:
> > On Wed, Jun 20, 2001 at 04:53:35PM -0700, faSty wrote:
> >
> > > I did used "From:hahaha@sexyfun.net" and still fails reject it.
> > >
> > > -trev
> >
> > Instead of tweaking your sendmail rules, which is somewhat error prone
> > (unless you reallyknow what you are doing), you could install procmail
> > and use that as the local delivery agent. Then, a simple filter like:
> >
> > :0 H
> > * From[: ].*hahaha@.*sex.*$
> > /dev/null
> >
> > put in the proper place (your /usr/local/etc/procmailrc) will filter
> > out all mail that have either an envelope-from or a header-from
> > address that matches your rules.
> >
> > The only problem I can see with this is that you might soon end
> > up with a huge /usr/local/etc/procmailrc file, instead of a nicer
> > /etc/mail/access file that blocks spammers.
> >
> > If you do want to use /etc/mail/access then you should probably do the
> > extra works it takes to find from the mail headers, where the mail
> > comes from.
> >
> > Then block the mail that comes from that host or domain or provider
> > and contact the provider's mail admins informing them that you have
> > blocked the entire domain because spammers use it to abuse your mail
> > system. A nicely put and carefully worded telephone call, where you
> > take care not to offend the mail admins themselves, will do wonders..
> > trust me.
> >
> > -giorgos
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message