How are you disabling notifications? - Looking through quarantine-attachments.txt does not mention 'silent_virus_array' ?
Hi Michael
When I said 'disbled notification', I mean all the notification, you can't disabled them only for one kind of virus.
To do that you have to edit /var/qmail/bin/qmail-scanner-queue.pl and change the value of:
my $NOTIFY_ADDRS='sender,admin';
to:
my $NOTIFY_ADDRS='none';
Be careful, some versions (or configurations) of 'vi' change the owner and the suid bit of the file when you edit it. Somebody has told me, my 'vi' works y a loyal way. But I always use 'pico'...
Anyway I suggest you to the piece of code below to avoid notifications and quarantine of myDoom. If your antivirus use a diferent string to identify 'myDoom' change the value in the if.
Actually these are my minidebug log:
30/01/2004 15:49:50:5621: +++ starting debugging for process 5621 by uid=81
30/01/2004 15:49:50:5621: The server is in the WhiteList
30/01/2004 15:49:50:5621: w_c: elapsed time from start 0.037065 secs
30/01/2004 15:49:50:5621: return-path='[EMAIL PROTECTED]', recips='[EMAIL PROTECTED]'
30/01/2004 15:49:50:5621: from='[EMAIL PROTECTED]', subj='', via SMTP from 193.43.129.131
30/01/2004 15:49:50:5621: sophie: there be a virus! (W32/MyDoom-A)
30/01/2004 15:49:50:5621: sophie: finished scan in 0.110936 secs
30/01/2004 15:49:50:5621: ini_sc: finished scan of "/var/spool/qmailscan/tmp/apo136.usc.urbe.it10754741905445621"...
30/01/2004 15:49:50:5621: ini_sc: elapsed time from start 0.18294 secs
30/01/2004 15:49:50:5621: myDoom: Another myDoom virus, dropping
30/01/2004 15:49:50:5621: ------ Process 5621 finished. Total of 0.187968 secs
Cheers
Salvatore
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salvatore Toribio Sent: Friday, 30 January 2004 7:08 PM To: [EMAIL PROTECTED] Subject: [Qmail-scanner-general]Quarantine-notifications and myDoom
myDoom is hiting our servers continuisly, so I've disabled notifications, but it is also filling my HardDisk with all those mails in quarantine.
I think that if I quarantine somenthing I need a notifications but if I don`t have notifications, quarantining is a waste of time and hard disk space.
But notifications are useful. So I've prepare a little piece of code to drop "myDoom" and don't send notification, here it is:
AFTER THIS CODE:
#Now, start the scanners! #if (!$quarantine_event) { &init_scanners; #}
INSERT:
# MyDoom if ($quarantine_description=~/doom/i) { &debug("myDoom: Another myDoom virus, dropping"); #&minidebug("myDoom: Another myDoom virus, dropping"); &cleanup; &debug("--- all finished. Total of ",tv_interval ($start_time, [gettimeofday])," secs"); #&minidebug("------ Process $$ finished. Total of ",tv_interval ($start_time, [gettimeofday])," secs"); close(LOG); exit 0; }
Remember that all the lines must finish in a ";" or "{" or "}" so pay attention to the lines that your mailer will wrap...
If you are using version "1.20st", you can uncomment the "minidebug" lines.
I am thinking about this ideas:
1) The lastest viruses/worms always use a faked sender. Notifications??
2) If a virus scanner finds a virus, Is it useful to quarantine it?
3) I can reject a virus in the smtp session instead of notifying the sender...
4) Woul be useful to add a "delete_virus_array" similar at "silent_virus_array"?
5) There is no point in run first perl scanner (Jason was right)
I am working in a new version of my patch, any comments about this ideas or others are wellcome.
Regards
Salvatore
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
