[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: MS mail bombs

On Wed, Sep 24, 2003 at 04:22:33AM +0100, Pigeon wrote:
> 3) modify my attached ~/.mailfilterrc with your POP3 username and
>    password details. The DENY rules to filter out viral crap are
>    translated from posts by Greg Lehey and David Lloyd on the LinuxSA
>    list.

These rules are not exhaustive, I'm seeing odd things that they've
missed... so I've cobbled together a couple of little scripts to
add the From:, To: and Subject: fields to ~/.mailfilterrc DENY rules.

You will need to edit them with your own user/machine names...

There are two scripts, ftadd to add From and To deny rules and sadd to
add Subject deny rules. The From and To headers seem to be reliably
unambiguously viral, whereas some of the subject lines also appear in
legitimate bounces. There's also a third, appendcmd, which actually
sticks the new rules in ~/.mailfilterrc.

The space before the semicolon before the 'do' statement in appendcmd
is required. Don't lose it!

As anyone may guess from examining my headers I receive mail on one
box and read it on another. The scripts allow for updating the
~/.mailfilterrc on the receiving box from the reading box using ssh
(no need to mess around exporting $HOME via nfs or whatever). The
easiest way to convert for a single box is to replace the ssh command
in the appendcmd script with 'sh -c'. (I said 'easiest', not 'nicest'
:-) )

Don't forget these are ad-hoc kludges and not fully-fledged Debian
packages :-) - hope someone finds them useful and they don't give
Colin Watson too many nightmares :-)


Be kind to pigeons
Get my GPG key here: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x21C61F7F


sed -n -e '/^From /,/^$/p' | egrep -i '^(from|to): ' | cut -f 1 -d '<' | sed -e 's/^/DENY=^/' -e 's/F[Rr][Oo][Mm]/(From|FROM)/' -e 's/T[Oo]/(To|TO)/' -e 's/ /.*/' -e 's/"//g' -e 's/ *$//' | ${APPENDCMD} &


sed -n -e '/^From /,/^$/p' | grep -i '^subject: ' | cut -f 1 -d '<' | sed -e 's/^/DENY=^/' -e 's/S[Uu][Bb][Jj][Ee][Cc][Tt]/(Subject|SUBJECT)/' -e 's/ /.*/' -e 's/"//g' -e 's/ *$//' | ${APPENDCMD} &

ssh nestie " ( MFRC=\"/home/pigeon/.mailfilterrc\"; for x in `sed -e \"s/^/\\\'/\" -e \"s/$/\\\' \\\\\/\" | xargs -0 -n 1` ; do if [ \"\$x\" != \" \" ]; then while fuser \$MFRC > /dev/null; do sleep 0.1; done; grep -F \"\$x\" \$MFRC > /dev/null || echo \"\$x\" >> \$MFRC; fi; done ) "

Attachment: pgp7aAfFopjAK.pgp
Description: PGP signature

Reply to: