|
|
|
|
|
|
| ISP Resources |
| ISP-Lists ISP Glossary ISP News The List ISPCON Events Free Newsletters |
|
|
|
||
| internet.commerce | ||
|
Partner With Us |
Blocking Attached Viruses
Members of the ISP-Linux list say that with Linux, it's easy to block viruses whose attachments are meant to cause harm to Windows users.
| [September 4, 2002] |
 |
On the ISP-Linux list in August, TL asked,
"Is there any method of discarding or rejecting e-mail based on the presence of typical Klez attachments such as .bat, .scr, .pif, etc.? I'm using Sendmail on a RedHat 7.1 mail server. I realize I can expect a substantial performance hit, but the Klez traffic has got to be stopped, and I don't have a large enough user base to justify building a virus/spam gateway."
A number of respondents shared their personal methods of solving the problem:
[LC offered] "In Postfix, we find this regex stops many Klez variants:
/^$/ REJECT
Rejecting all messages with 'dangerous' attachments is also an effective policy."
[NB suggested] "Sendmail users can also add this to sendmail.mc and remake the sendmail.cf file. I did this within a week of Klez surfacing, and I haven't had any problems with Klez since.
LOCAL_CONFIG
Kklez regex -a@MATCH_KLEZ multipart/alternative; +boundary=[a-z0-9]+$
LOCAL_RULESETS
HContent-Type:-TAB-$>CheckContentType
SCheckContentType
R$*-TAB--TAB-$:-TAB-$(klez $&{currHeader} $)
R@MATCH_KLEZ-TAB-$#error-TAB-$: "553 rejected ; This message possibly \contains the Klez virus."
Note that -TAB- means exactly that: not spaces. And do back up your MC file before applying the above: I accept no responsibility for it destroying your Sendmail configs-I only guarantee it works here for me."
[JB advised] "If you use Sendmail and Procmail, put this in /etc/procmailrc:
### OK let's capture the klez worm now
# Klez worm procmail filter
:0 B
* 135AAItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJRI
8Qi0SODIlEjwyLRI4IiUSPCItE
/var/log/klez
I trap them to a directory, but you may wish to /dev/null them."
Others recommended checking out some relevant solutions:
[PP observed] "I'm using AMaViS with Clam Antivirus. It works fine."
[CI contended] "RenAttach is simple, yet effective!"
[RP offered] "Here is a how-to on installing a virus scanner with Sendmail. It uses F-Prot (free for personal use) as a scanning engine that updates itself. And it uses MailScanner, which is a simple install on RedHat. Then you just make minor edits to the conf file (domain name, what you want done with the viruses, whether you want ORDB type blocking, whether you have SpamAssassin) and you're off."
—End
| Related articles: | |||
| [Sept. 28, 2001] | E.G. for Example: Mutiny Against Microsoft | ||
| [March 2, 2000] | QMail: A Better Sendmail? | ||
| [Jan. 21, 2000] | Unix, Linux, or NT? Part Two | ||
|
|
| Best of ISP-Planet | ||
|---|---|---|
|
ISP-Planet
Guide
ISP-Planet's Principal Studies Directories:
Q2 2008 Top U.S. ISPs by Subscriber (Updated 08/29/2008)
ISP-Planet's Blogroll | ||
ISP-Planet's
RSS feed
Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia
Legal Notices, Licensing, Reprints, Permissions, Privacy Policy.
Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers