Thanks Tom, u gave me an idea.
I fact, I was trying a solution like this at smtp level:
---
#!/bin/sh
INSPECT=^xxx0 // the virus username always starts with xxx0
RESULT=`echo $QMAILUSER | grep $INSPECT`
if [ $RESULT ]
then
`iptables -A INPUT -s $TCPREMOTEIP -j DROP`
echo $TCPREMOTEIP $QMAILUSER >> /tmp/banned.txt
exit 0
fi
--
But I have the smtp auth enabled, so the checkuser will reject the attempt
after the RCPT TO with a no domain in rcpthosts error, which makes my
script useless because it only runs after that.
I'll try to set up a perl script that reads the logs and update iptables.
----- Original Message -----
From: "Tom Collins" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Wednesday, August 29, 2007 6:00 PM
Subject: Re: [toaster] Problem with virus
On Aug 29, 2007, at 8:58 AM, Lampa wrote:
can you publish yor script, it can be useful for many people.
It's too custom to publish, really. I'm using a modified version of
simscan with custom logging messages, and I really don't have time to
document the script or write instructions on how to install it.
You'll want to look at the File::Tail module to make tracking the log
file easier.
--
Tom Collins - [EMAIL PROTECTED]
Vpopmail - virtual domains for qmail: http://vpopmail.sf.net/
QmailAdmin - web interface for Vpopmail: http://qmailadmin.sf.net/
