Hi all.
I've built a little bit on the patch by Salvatore from the mail quoted
bellow.
Scenario:
Salvatore's patch to drop MyDoom's modifications does an "exit" after
detecting the virus, thus not doing any kind of logging. On our servers,
we're running MRTG and QSS for general trafic/virus/SPAM and detailed
virus statistics, desto we need both syslog logs (for MRTG) and
qmail-quarantine logs (for QSS).
My changes don't quarantine the mail nor send any e-mail notice like
Salvatore's do, but keep doing both logs (despite the mails not being
sent to the quarantine dir, notices are sent to quarantine-log as if
they were).
The patch (for a clean qmail-scanner):
After this code:
#Now, start the scanners!
#if (!$quarantine_event) {
&init_scanners;
#}
remove:
if ($quarantine_event) {
&debug("unsetting TCPREMOTEIP env var");
delete $ENV{'TCPREMOTEIP'};
&email_quarantine_report;
} else {
&qmail_parent_check;
&qmail_requeue($env_returnpath,$env_recips,
"$scandir/$wmaildir/new/$file_id");
}
(DON'T REMOVE THE "alarm" LINE!)
and add:
if ($quarantine_description=~/novarg|mydoom|sco/i) {
&debug("myDoom: Another myDoom virus, dropping");
&write_quarantine_report;
} else {
if ($quarantine_event) {
&debug("unsetting TCPREMOTEIP env var");
delete $ENV{'TCPREMOTEIP'};
&email_quarantine_report;
} else {
&qmail_parent_check;
&qmail_requeue($env_returnpath,$env_recips,"$scandir/$wmaildir/new/$file_id");
}
}
Quoting Salvatore's original mail:
> Remember that all the lines must finish in a ";" or "{" or "}" so pay
> attention to the lines that your mailer will wrap...
And remember to add minidebug lines at will, in case you're running
Salvatore's -st patch. :)
Disclaimer: I've been running and monitoring this modifications on a
production server (hit at the moment by around 600 infected mails/hour)
for about three hours and seems to work as expected, but YMMV.
Any comments are welcome.
Regards
El vie, 30-01-2004 a las 13:31, Salvatore Toribio escribi�:
> myDoom is hiting our servers continuisly, so I've disabled
> notifications, but it is also filling my HardDisk with all those
> mails in quarantine.
>
> I think that if I quarantine somenthing I need a notifications but if
> I don`t have notifications, quarantining is a waste of time and hard
> disk space.
>
> But notifications are useful. So I've prepare a little piece of code
> to drop "myDoom" and don't send notification, here it is:
>
> AFTER THIS CODE:
>
> #Now, start the scanners!
> #if (!$quarantine_event) {
> &init_scanners;
> #}
>
> INSERT:
>
> # MyDoom
> #### IF YOUR VIRUS SCANNER IDENTIFY DOOM WITH OTHER STRING REPLACE IT BELOW
> if ($quarantine_description=~/doom/i) {
> &debug("myDoom: Another myDoom virus, dropping");
> #&minidebug("myDoom: Another myDoom virus, dropping");
> &cleanup;
> &debug("--- all finished. Total of ",tv_interval ($start_time,
> [gettimeofday])," secs");
> #&minidebug("------ Process $$ finished. Total of ",tv_interval
> ($start_time, [gettimeofday])," secs");
> close(LOG);
> exit 0;
> }
>
>
> Remember that all the lines must finish in a ";" or "{" or "}" so pay
> attention to the lines that your mailer will wrap...
>
>
> If you are using version "1.20st", you can uncomment the "minidebug" lines.
>
> I am thinking about this ideas:
>
> 1) The lastest viruses/worms always use a faked sender. Notifications??
>
> 2) If a virus scanner finds a virus, Is it useful to quarantine it?
>
> 3) I can reject a virus in the smtp session instead of notifying the sender...
>
> 4) Woul be useful to add a "delete_virus_array" similar at
> "silent_virus_array"?
>
> 5) There is no point in run first perl scanner (Jason was right)
>
> I am working in a new version of my patch, any comments about this
> ideas or others are wellcome.
>
> Regards
>
> Salvatore
>
>
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn
> _______________________________________________
> Qmail-scanner-general mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
--
Vicente Aguilar <[EMAIL PROTECTED]>
Departamento de Sistemas
Tlf.: 965 98 71 92
Recursos en la Red, S.L.U.
http://www.renr.es
-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
