From owner-freebsd-questions Mon Jul 23 11: 6: 6 2001 Delivered-To: freebsd-questions@freebsd.org Received: from webserver.rtl.org (webserver2.rtl.org [63.94.12.188]) by hub.freebsd.org (Postfix) with ESMTP id 33BCF37B405 for ; Mon, 23 Jul 2001 11:05:50 -0700 (PDT) (envelope-from jstewart@rtl.org) Received: from MIS3C.rtl.org ([63.106.163.130]) by webserver.rtl.org (8.11.4/8.11.4) with ESMTP id f6NI4t231999 for ; Mon, 23 Jul 2001 14:04:55 -0400 Message-Id: <5.0.2.1.0.20010723140113.021aa5d8@63.94.12.188> X-Sender: jstewart@63.94.12.188 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Mon, 23 Jul 2001 14:05:40 -0400 To: freebsd-questions@FreeBSD.ORG From: Jason Stewart Subject: Re: SirCam virus In-Reply-To: <20010723124711.A3193@acadia.ne.mediaone.net> References: <002701c1134f$7aa71940$1401a8c0@tedm.placo.com> <002701c1134f$7aa71940$1401a8c0@tedm.placo.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At our shop, we just mangle the known executable file extensions with=20 procmail. If someone needs to execute the file, they call the IS department= =20 and we instruct them to re-name the attachment after we figure out what it= =20 contains. We do not use Outlook for a mail client also. About once a week I= =20 get a call... 'I cannot open this attatchment!!!! What do I do!??! This=20 must be important because its from the president of one of our affiliates!'= =20 To which I respond.... 'It's a good thing that you couldn't open it,=20 because it is a virus......'. Jason Stewart At 12:47 PM 7/23/2001 -0400, Louis LeBlanc wrote: >Hey Ted and Thierry. I am curious about the cyrus/procmail thing. I >am running Cyrus 1.6.24 with Procmail (don't remember the version). > >I am handling this pretty much the way you suggested, Ted, except that >I may be doing it the wrong way. There are several issues with using >sendmail and Cyrus. Unfortunately, Cyrus is somewhat notoriously >difficult to configure with sendmail (at least in my experience). I >am under the impression that it is necessary to have several flags set >to make Cyrus run smoothly. Procmail is configured to call deliver, >which will then pop the message into the correct mailbox. > >If I can just tell sendmail to use procmail to handle local delivery, >I suspect this would simplify my configuration headaches. > >Any ideas there? > >As for procmail, Thierry, I highly recommend it. Especially if your >users tend to subscribe to mailing lists. I have found that it really >helps when some other subscriber goes on vacation and forgets to >exclude the list from vacation responses - vicious circle. I just put >the sender (usually a postmaster id) into a killfile, and I never have >to see the hundreds of messages generated by the cycle. Just the >dozens of others that respond to bitch about it - resulting in more >messages. > >Recently, I thought about using the Cyrus Sieve tool, which is >supposed to be a replacement for procmail, but I decided to stick with >what I knew. If you want to start with an integrated tool, you might >want to check it out. I for one still like the Unix mentality - a >tool should do one thing and do it well. > >Lou > >On 07/23/01 01:14 AM, Ted Mittelstaedt sat at the `puter and typed: > > cyrus is not relevent to this discussion. Your not replacing it, > > your replacing the local delivery program. cyrus gets the > > message well after the local delivery program (ie: procmail) > > has finished with it. > > > > The way it works now is that the message comes in, is accepted by > > sendmail which passes it to the local delivery program mail.local, > > which writes it into /var/mail/username. cyrus then picks it up > > from there when a imap or pop request comes in and delivers it out > > via imap or pop. > > > > The way you want it to work is the message comes in, is accepted by > > sendmail which passes it to the local delivery program procmail, > > which filters it for spam and for this virus, then writes it into > > /var/mail/username. cyrus then picks it up from there when a imap or= pop > > request comes in and delivers it out via imap or pop. > > > > All that feature does that I mention in the article is change the line > > in sendmail.cf > > > > Mlocal, P=3D/usr/libexec/mail.local, F=3DlsDFMAw5:/|@qPSXfmnz9P, > > S=3DEnvFromL/ > > HdrFromL, R=3DEnvToL/HdrToL, > > > > to a Mlocal line that replaces mail.local with the procmail invocation. > > > > You want to spend some time reading the procmail mailing list and > > documentation for some more detailed answers. But it's not that hard > > and also procmail is the default local delivery program for GNU/Linux > > so there's plenty of info out there on it in the Linux mailing list > > archives. (although a lot of Linux people use postfix instead of > > sendmail, yech!) > > > > Ted=20 > Mittelstaedt tedm@toybox.placo.com > > Author of: The FreeBSD Corporate Networker's= =20 > Guide > > Book=20 > website: http://www.freebsd-corp-net-guide.com > > > > > > >-----Original Message----- > > >From: owner-freebsd-questions@FreeBSD.ORG > > >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Thierry Black > > >Sent: Monday, July 23, 2001 12:20 AM > > >To: tedm@toybox.placo.com; freebsd-questions@FreeBSD.ORG > > >Subject: RE: SirCam virus > > > > > > > > >Hello Ted! Thankyou for the reply. I'm sure procmail is the answer now= but > > >as my original post said, I don't know how to make procmail work with= =20 > cyrus. > > >Your article was really good, but it didn't explain that. Do you know= =20 > how I > > >can make procmail work with sendmail 8.9.3 and cyrus? > > > > > >thankyou > > >thierry > > > > > > > > > > > > > > > > > >>From: "Ted Mittelstaedt" > > >>To: "Thierry Black" , > > >> > > >>Subject: RE: SirCam virus > > >>Date: Sun, 22 Jul 2001 23:41:26 -0700 > > >>MIME-Version: 1.0 > > >> > > >>Actually this virus is an easy one to block. According to the > > >>advisory there is always one of the following strings: > > >> > > >>"Hi! How are you?" > > >> > > >>"I send you this file in order to have your advice" > > >> > > >>So all you need to do is replace the local delivery agent with > > >>Procmail and write a procmail recipe to filter out messages > > >>containing either of those strings. I did a column on this a > > >>while ago it's here: > > >> > > >>http://www.computerbits.com/archive/1998/1000/lan9810.html > > >> > > >> You really ought to be doing this for your spamfiltering anyway. > > >> > > >>Ted Mittelstaedt > > >>tedm@toybox.placo.com > > >>Author of: The FreeBSD Corporate Networker's > > >>Guide > > >>Book website: > > >>http://www.freebsd-corp-net-guide.com > > >> > > >> > > >> >-----Original Message----- > > >> >From: owner-freebsd-questions@FreeBSD.ORG > > >> >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Thierry= Black > > >> >Sent: Sunday, July 22, 2001 9:32 PM > > >> >To: freebsd-questions@FreeBSD.ORG > > >> >Subject: SirCam virus > > >> > > > >> > > > >> >Hello again! My server has received copies of this "SirCam" virus > > >>notified > > >> >at www.symantec.com. We are using sendmail, and cyrus for delivery.= How > > >>can > > >> >I put a rule to block the messages? The subject, sender, attachment= =20 > name, > > >> >and headers are all random (taken from the virus victims email).=20 > The only > > >> >common things are in the body. The messages start with "Hi! How are= =20 > you?" > > >> >and end with "See you later. Thanks". > > >> > > > >> >I need to block these messages from being sent to or from our email > > >>server. > > >> >I have heard of procmail, but I don't know hwo to use it with= sendmail > > >>8.9.3 > > >> >and cyrus. > > >> > > > >> > > > >> >_________________________________________________________________ > > >> >Get your FREE download of MSN Explorer at > > >>http://explorer.msn.com/intl.asp > > >> > > > >> > > > >> >To Unsubscribe: send mail to majordomo@FreeBSD.org > > >> >with "unsubscribe freebsd-questions" in the body of the message > > >> > > > >> > > > > > > > > >_________________________________________________________________ > > >Get your FREE download of MSN Explorer at= http://explorer.msn.com/intl.asp > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > >with "unsubscribe freebsd-questions" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > >-- >Louis LeBlanc leblanc@acadia.ne.mediaone.net >Fully Funded Hobbyist, KeySlapper Extrordinaire :) >http://acadia.ne.mediaone.net =D4=BF=D4=AC > >QOTD: > "Sure, I turned down a drink once. Didn't understand the question." > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message