With all the talk about virus scanning on incomming mail/etc I thought
I'd add this little piece. In the event that you do not scan incomming
mail and are hit by this or another virus, the following little shell
script will allow you to locate and remove the infected emails from a
customers maildir before they download their email.
--------------------------------------------------------
#!/bin/sh
for i in /export/vpopmail/domains/$1/$2*
do
for x in $i/Maildir/new/*
do
grep "http://stuart.messagemates.com/index.html" $x > /dev/null
2>&1
if [ $? -eq 0 ]
then
mv $x /export/badmail/
echo $x >> /export/badmail/infected.log
fi
done
done
-------------------------------------------------------
Syntax is './filter.sh <your domain directory> <letter from a to z>'.
This allows you to check maildirs for all users whose login begins with
whatever letter you specify. Run multiple copies to scan more maildirs
faster if your server can handle, or if you run multiple front end mail
servers delivering to the same nfs mail store. This script is setup for
vchkpw/vpopmail with multiple domains. You may need to edit it for the
correct path and destination for the infected emails to be moved to. As
always, I take no responsibility if this trashes your mail server. Run
at your own risk. It works fine for me, but my server is not the same as
yours I'm sure. Also note the grep line is currently setup for the above
noted virus. It should work with others if you can find a repeating
pattern that is consistent in all emails containing the virus. It's not
pretty, but it works.
--
Stephen Comoletti
Systems Administrator
Delanet, Inc. http://www.delanet.com
ph: (302) 326-5800 fax: (302) 326-5802
