The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Avoid getting MAIL QUEUE filling up because of viruses

Discussion in 'E-mail Discussions' started by lowspeed, Sep 7, 2003.

  1. lowspeed

    lowspeed Active Member

    Joined:
    Aug 13, 2003
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    HOWTO: Avoid getting MAIL QUEUE filling up because of viruses

    I found an easier way to avoid the queue fillup due to fake email address originated from viruses.

    bassicly you add the keyword "noerror" before fail this way even if its failed attempt to deliver it will not try again.


    in /etc/antivirus.exim


    Code:
    ## -----------------------------------------------------------------------
    # Only run any of this stuff on the first pass through the
    # filter - this is an optomisation for messages that get
    # queued and have several delivery attempts
    #
    # we express this in reverse so we can just bail out
    # on inappropriate messages
    #
    if not first_delivery
    then
      finish
    endif
    
    ## -----------------------------------------------------------------------
    # Check for MS buffer overruns as per BUGTRAQ.
    # [url]http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61[/url]
    # This could happen in error messages, hence its placing
    # here...
    # We substract the first n characters of the date header
    # and test if its the same as the date header... which
    # is a lousy way of checking if the date is longer than
    # n chars long
    if ${length_80:$header_date:} is not $header_date:
    then
    noerror fail text "This message has been rejected because it has\n\
                 an overlength date field which can be used\n\
                 to subvert Microsoft mail programs\n\
                 The following URL has further information\n\
                 [url]http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61[/url]"
      seen finish
    endif
    
    ## -----------------------------------------------------------------------
    # These messages are now being sent with a <> envelope sender, but
    # blocking all error messages that pattern match prevents
    # bounces getting back.... so we fudge it somewhat and check for known
    # header signatures.  Other bounces are allowed through.
    if $header_from: contains "@sexyfun.net"
    then
      noerror fail text "This message has been rejected since it has\n\
                 the signature of a known virus in the header."
      seen finish
    endif
    if error_message and $header_from: contains "Mailer-Daemon@"
    then
      # looks like a real error message - just ignore it
      finish
    endif
    
    ## -----------------------------------------------------------------------
    # Look for single part MIME messages with suspicious name extensions
    # Check Content-Type header using quoted filename [content_type_quoted_fn_match]
    if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
    then
      noerror fail text "This message has been rejected because it has\n\
                 potentially executable content $1\n\
                 This form of attachment has been used by\n\
                 recent viruses or other malware.\n\
                 If you meant to send this file then please\n\
                 package it up as a zip file and resend it."
      seen finish
    endif
    # same again using unquoted filename [content_type_unquoted_fn_match]
    if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))"
    then
      noerror fail text "This message has been rejected because it has\n\
                 potentially executable content $1\n\
                 This form of attachment has been used by\n\
                 recent viruses or other malware.\n\
                 If you meant to send this file then please\n\
                 package it up as a zip file and resend it."
      seen finish
    endif
    
    
    ## -----------------------------------------------------------------------
    # Attempt to catch embedded VBS attachments
    # in emails.   These were used as the basis for 
    # the ILOVEYOU virus and its variants - many many varients
    # Quoted filename - [body_quoted_fn_match]
    if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[\\\\s;]"
    then
      noerror fail text "This message has been rejected because it has\n\
                 a potentially executable attachment $1\n\
                 This form of attachment has been used by\n\
                 recent viruses or other malware.\n\
                 If you meant to send this file then please\n\
                 package it up as a zip file and resend it."
      seen finish
    endif
    # same again using unquoted filename [body_unquoted_fn_match]
    if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\s;]"
    then
      noerror fail text "This message has been rejected because it has\n\
                 a potentially executable attachment $1\n\
                 This form of attachment has been used by\n\
                 recent viruses or other malware.\n\
                 If you meant to send this file then please\n\
                 package it up as a zip file and resend it."
      seen finish
    endif
    ## -----------------------------------------------------------------------
    
    
    cPanel.net Support Ticket Number:

    cPanel.net Support Ticket Number:
     
    #1 lowspeed, Sep 7, 2003
    Last edited: Sep 7, 2003
  2. Arthur

    Arthur Member

    Joined:
    Jan 23, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the great tip!!

    cPanel.net Support Ticket Number:
     
  3. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Can you, or someone, make it more clear what the repercussions are of adding the "no error" to this configuration? Will the server try to send a rejection message to the sender at least one time? Or never? Sorry, I'm confused.

    I like the idea of not holding these rejection messages in the queue, but I want to try at least once to send a rejection message, since sometimes legitimate senders try to send legitimate attachments with these extensions. I can't just discard them.

    - Scott
     
  4. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Re: HOWTO: Avoid getting MAIL QUEUE filling up because of viruses

    nice!
    Do you have more information on this? Source? Or did you figure it out yourself?
     
  5. lowspeed

    lowspeed Active Member

    Joined:
    Aug 13, 2003
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Re: Re: HOWTO: Avoid getting MAIL QUEUE filling up because of viruses

    I actually tried it after reading the docs at exim.org.


    The nice part about it is that it will only fail those that couldn't be delivered first time and are already suspicious of having viruses. So the chance of it actually discarding a legit email is slim.

    First the email would have to have some sort of a suspicious attachement and then the end server would have to be down and that same point of time.




     
  6. Miss Jacky

    Miss Jacky Well-Known Member

    Joined:
    Mar 4, 2004
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    Anyone still using this? Or are there better alternatives?

    tnx
     
  7. twrs

    twrs Member

    Joined:
    Nov 12, 2002
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    0
    Thanks for sharing this, lowspeed! I'm using this in all my servers now and no problem so far.
     
  8. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    Is this rule still legit to use for exim-4.52-7_cpanel_smtpctl_av_rewrite_mm2_mmmtrap_exiscan_md5pass ?
     
Loading...

Share This Page