The .qmail file idea is a good one, but has to be moved to everyone's .qmail
file on the system. what i would actually recommend is to apply bruce's
queue-var patch
(http://em.ca/~bruceg/qmail+patches/sources/qmail-1.03-queuevar.patch), apply
the patch and recompile qmail. get the latest version of the maildrop package
for the courier imap server (http://download.sourceforge.net/courier) and the
qmail-scanner package
(ftp://qmail-scanner.sourceforge.net/pub/qmail-scanner/qmail-scanner-0.94.tgz).
You will also need Perl 5.005_03+ and the Perl modules Time::HiRes and DB_File
I know this sounds like a lot of trouble but it is worth your time in my
opinion. I have implemented this setup on my server and currently it only
filters *.vbs attachments but I am looking for some other virus software to
plug into there (if anyone knows of any good Unix esp. Linux virus scanners to
filter Win virii, please let me know) and it saved my you-know-what every time
we hear about companies like lucent getting killed by I-Love-You and the like.
--
***********************************
Matthew H Patterson
Unix Systems Administrator
National Support Center, LLC
Naperville, Illinois, USA
***********************************
---------- Forwarded Message ----------
Subject: Re: how do I block this SPAM?
Date: Mon, 01 Jan 2001 15:30:04 -0500
From: Roger Merchberger <[EMAIL PROTECTED]>
On or about 08:50 PM 1/1/01 +0100, Piotr Kasztelowicz was caught in a dark
alley speaking these words:
>On 1 Jan 2001, Mark Delany wrote:
>
>> badmailfrom won't work on this. See the archives for discussions on
>> why not (it checks Return-Path).
>
>Not good idea on ORBS spamer's list can be found peoples, who
>don't write spam - for instace I.
The problem is, this isn't spam -- it's a virus. If you start blocking IP's
from wherever you get this, you will start blocking a *lot* of non-relaying
sites. This isn't relaying. This is a case of honest (albeit IMNSHO
clueless) people sending out a copy of a virus they don't know they have.
The virus sending out copies of itself to known good email addresses isn't
my major problem, tho. The virus also sends itself to godawful strings of
non-Internet related characters (like "<a>slkjjsdl@#.jskd") which is
causing a very high load of double-bounces - with me being the postmaster,
I'm getting a very large (to the order of 2-5 every *second*) number of
these in my mailbox.
One bad thing about this virus is it wipes out (almost) every piece of
useful data that you could use to track down the person who has the virus.
The only useful stuff is what qmail logs - namely the HELO string, the
originating IP address & time. (And the HELO string is useless if the user
doesn't change the "Host" DNS setting from "oemcomputer" to the user's real
ID.)
Now, a .qmail file which filters on that idiot "[EMAIL PROTECTED]" and
either a) sends that mail to the bit-bucket (which is by now overflowing...
:-) or b) filters out the Received: header with the HELO line in it and
stuffs it into a separate file would be a great boon...
If I have a chance I'll bone up on .qmail files (one thing I don't like
about qmail is it doesn't crash. "Set it and forget it" which is what
usually happens... ;-) and write it myself, but I don't have the time just
yet.
I do have a perl script somewhere that does the HELO filter in (b) above,
but it's a separate proggie - not an inline filter. (Oh, on larger files,
it won't run under NT's perl, either. Hope you have a *nix box handy...)
HTH,
Roger "Merch" Merchberger
=====
Roger "Merch" Merchberger -- [EMAIL PROTECTED]
SysAdmin - Iceberg Computers
===== Merch's Wild Wisdom of the Moment: =====
Sometimes you know, you just don't know sometimes, you know?
-------------------------------------------------------
