Re: Virus Detected by Network Associates, Inc. Webshield SMTP V4.5 MR1a

[Russell Coker <russell@coker.com.au>]

On Sat, 28 Jun 2003 22:21, Dan Rasmussen wrote:
> On Sat, Jun 28, 2003 at 12:14:38PM +0000, virusalert@baan.com wrote:
> > An E-mail from <debian-laptop@lists.debian.org> to <RvdOever@baan.nl> 
> > with subject Re: Application has been intercepted. The virus
> > W32/Sobig.c@MM in attachment your_details.zip has been detected.
>
> Quick question, why do I always receive emails like this?  It seems that
> if the virus has been intercepted, there is no need for me to know about
> it... is this advertising for their antivirus scanner, or something
> designed to make virus authors all proud when they do a search and their
> virus comes up in mailing list archives and they can see how far their
> work spread?

The people running the virus-scanners are idiots.

I've attached a little script I use to deal with such things.  If you use it 
then please edit it to put your name and email address in the body.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

#!/usr/bin/perl

use strict;
use Net::SMTP;
use Net::DNS;

my @addr = split("@", $ARGV[0]);
my $host = primary($addr[1]);
my $postmaster = "postmaster@" . $addr[1];

print "host:$host\n";

my $smtp;
($smtp = Net::SMTP->new($host))
   or die "Can't connect to mail server.\n";

$smtp->mail($ARGV[0])
  or die "Server doesn't like from address $ARGV[0].\n";
($smtp->to($ARGV[0]))
  or die "Server doesn't like to address $ARGV[0].\n";
($smtp->cc($postmaster))
  or die "Server doesn't like cc address $postmaster.\n";
($smtp->data()) or die "error in start data.\n";
$smtp->datasend("From: " . $ARGV[0] . "\n");
$smtp->datasend("To: " . $ARGV[0] . "\n");
$smtp->datasend("Cc: " . $postmaster . "\n");
$smtp->datasend("Subject: Your mail server is broken\n");
$smtp->datasend("\n");
$smtp->datasend(
"A correctly configured mail server will not send out virus reports to the\n"
."address listed in the From: field as the viruses send out email with fake\n"
."From: addresses.  This means that a broken mail server such as yours\n"
."which sends such messages just annoys innocent people while not helping\n"
."anyone.\n\n");
$smtp->datasend("I sent this message with your address in the From field because I have received\n");
$smtp->datasend("more than enough anti-virus messages from you already.\n");
$smtp->datasend("\n");
$smtp->datasend("USER NAME\n");
$smtp->datasend('USER@DOMAIN.com' . "\n");
($smtp->dataend()) or die "error in end.\n";

($smtp->quit()) or die "error in quit.\n";


sub primary
{
  my $res = new Net::DNS::Resolver;
  my @mx;
  my $query;
  my $rr;
  if(not @mx = mx($res, @_))
  {
    print "no mx records\n";
    $query = $res->send(@_) or die "no A records";
  }
  else
  {
    my $primary = $mx[0];
    foreach $rr (@mx)
    {
      if($rr->preference < $primary->preference)
      {
        $primary = $rr;
      }
    }
    $query = $res->search($primary->exchange) or die "Can't lookup A record.\n";
  }

  foreach $rr ($query->answer)
  {
    next unless $rr->type eq "A";
    return $rr->address;
  }
}