# Match sobig.F in sendmail.cf # # $Header: /usr/local/cvs/beheer/mail/sendmail/cf/cf/xs4all-block-sobig.mc,v 1.7 2003/08/26 21:31:48 johnpc Exp $ # # (C) Copyright XS4ALL Internet B.V. 2003 # Author: Jan-Pieter Cornet < johnpc AT xs4all DOT nl > # This script is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License, Version 2, as # published by the Free Software Foundation. # # these rules match on the headers only, and therefore detect both the # virus including the binary attachment, and the erroneous version of # the virus that doesn't contain the virus attachment itself. # # Matching rules are: # header must match: X-Mailer: Microsoft Outlook Express 6.00.2600.0000 # the X-MimeOLE header must not be present (that version of outlook # express always sets the X-MimeOLE header). # header must match: X-MailScanner: Found to be clean # header must match: Content-Type: multipart/mixed; # boundary="_NextPart_000_[EIGHT_HEX_DIGITS]" # header must match: From: # or: From: same.as.envelope@from.addr # also, the Resent-To: and Resent-From: headers must also not be present. # # EXCLUDED MAIL ADRESSES # # These rulesets allow for certain mail adresses to be excluded from # filtering. If you do not wish to use that, you should still create # the map, but leave it empty. Just type this command, once: # makemap hash /etc/mail/nosobigblock < /dev/null # # (note that if you forget to run this, your sendmail will complain # about a missing "nosobigblock.db" file, but the filtering will # otherwise work correctly). # # If you want to specify certain adresses to be excluded, create # a text file "/etc/mail/nosobigblock", and populate it with email # adresses to be excluded, for example like this: # # postmaster@xs4all.nl NOBLOCK # abuse@xs4all.nl NOBLOCK # # (without the "#" characters, and without the leading whitespace, # obviously). # Next, create an entry in the Makefile in /etc/mail, like this: # # nosobigblock.db: nosobigblock # @/usr/sbin/makemap hash nosobigblock < nosobigblock # # (again, without # and leading whitespace, except that the second # line has a leading TAB). # Then simply run: "make nosobigblock.db" every time you update # the "nosobigblock" textfile. There is no need to restart sendmail # after updating the nosobigblock.db file. LOCAL_CONFIG ifdef(`have_Kstorage',, `Kstorage macro define(`have_Kstorage')')dnl ifdef(`have_Ksyslog',, `Ksyslog syslog define(`have_Ksyslog')')dnl Knosobigblock hash /etc/mail/nosobigblock HX-Mailer: $>+SobigHXMailer HX-MailScanner: $>+SobigHXMSc HContent-Type: $>+SobigHCT HX-MimeOLE: $>+SobigHBad HResent-To: $>+SobigHBad HResent-From: $>+SobigHBad HFrom: $>+SobigHFrom D{SobigXMailerPat}Microsoft Outlook Express 6.00.2600.0000 D{SobigXMScPat}Found to be clean KSobigCTre regex -a ^multipart/mixed;boundary=_NextPart_000_[0-9A-F]{8}$ LOCAL_RULESETS SSobigHXMailer # mark, in {SobigXMailer} if it matches the expected X-Mailer R${SobigXMailerPat} $: $(storage {SobigXMailer} $@ OK $) R$* $@ OK SSobigHXMSc # mark, in {SobigXMSc} if it matches the expect X-MailScanner R${SobigXMScPat} $: $(storage {SobigXMSc} $@ OK $) R$* $@ OK SSobigHCT # test against the Content-Type regex. Note that sendmail strips whitespace # and ""quotes from the pattern before applying the regex, for some reason. R$+ $: $(SobigCTre $1 $) # If it matches, mark in {SobigCT} R $: $(storage {SobigCT} $@ OK $) R$* $@ OK SSobigHBad # mark presence of the header in {SobigNoMatch} R$* $: $(storage {SobigNoMatch} $@ NotOK $) SSobigHFrom # test against proper format R< $+ @ $+ > $: $(storage {SobigFrom} $@ OK $) # test against alternative format (which is somewhat rare) R $&f $: $(storage {SobigFrom} $@ OK $) # test for addresses that are exempt from checking SLocal_check_rcpt R $* $: $1 $| $1 $(storage {LastRCPT} $@ $1 $) R < $+ > $| $* $1 $| $2 R $+ $| $* $: < $(nosobigblock $1 $: FILTERME $) > $| $2 R< FILTERME > $| $+ $: $(storage {SobigFilterMe} $@ OK $) $| $1 # get original input and fall through to other Local_check_rcpt processing, if any R$* $| $+ $: $2 Scheck_eoh # fetch all marks R$* $: < $&{SobigXMailer} > < $&{SobigXMSc} > < $&{SobigCT} > < $&{SobigFrom} > < $&{SobigNoMatch} > < $&{SobigFilterMe} > # clear all macros for the next message R$* $: $1 $(storage {SobigXMailer} $) $(storage {SobigXMSc} $) R$* $: $1 $(storage {SobigCT} $) $(storage {SobigXMOLE} $) $(storage {SobigFilterMe} $) # test for the right condition R <> $#discard $: $(syslog "Sobig.F blocked. from=" $&f ", to=" $&{LastRCPT} ", relay=" $&_ $) R$* $@ OK