[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

There's a tested solution for the W32.Sircam virus and sendmail

To: isp-tech@xxxxxxxxxxxx
Subject: There's a tested solution for the W32.Sircam virus and sendmail
From: Cedric Tardif <sysadmin@xxxxxxxxxxxxxx>
Date: Thu, 26 Jul 2001 14:49:42 -0400
List-unsubscribe: <mailto:leave-isp-tech-144408S@lists.isp-lists.com>
Reply-to: isp-tech@xxxxxxxxxxxx
Resent-date: Fri, 27 Jul 2001 10:31:04 +0530 (IST)
Resent-from: Raju Mathur <raju@xxxxxxxxxxxxxxxxxxxx>
Resent-message-id: <15200.62864.673440.153170@mail.linux-delhi.org>
Resent-to: linux-delhi@xxxxxxxxxxxxxxxxxxxxx, linux-india-help@xxxxxxxxxxxxxxxxxxxxx

[Spoon-feed for enabling detection and rejection of the SIRCAM Winduhs
virus in sendmail 8.9.  The version of sendmail is a bit old, but
that's what many of us are using, I suspect -- Raju]

Hi all,

I have working to find a way to block sircam directly from my mail server for 5 day now and i got a solution.

I wish it will help some of you out there.

What you need :

- Linux server with sendmail version equal or higher to 8.9

There's the setup you have to do :

Sendmail must be compiled with regex-support

Those who compile sendmail will know how to do it.

For those that use system management with rpm : ( Thanks to Rune Hansen <runehans00@xxxxxxxxxxx> )
________________________________
I've tried it successfully on a redhat 6.2 installation, using the
supplied source rpm (sendmail-8.9.3-20.src.rpm). I had to rename the
"+ChechDate" name to "CheckDate" in sendmail.mc because Sendmail reported
it as an invalid ruleset name.

This is what I did:
(sendmail, sendmail-cf and necessary dev-tools must be installed)

-Install sendmail source:
# rpm -ivh /mnt/cdrom/SRPMS/sendmail-8.9.3-20.src.rpm

-Enable regex-support: 
Edit 
/usr/src/redhat/SOURCES/sendmail-8.9.3-redhat.patch
chance the line:
"+define(`confMAPDEF', `-DNEWDB -DNIS')" 
to:
"+define(`confMAPDEF', `-DNEWDB -DNIS -DMAP_REGEX')"

-Compile and make rpm
# rpm -bb /usr/src/redhat/SPECS/sendmail.spec

-Stop and uninstall sendmail
# /etc/rc.d/init.d/sendmail stop
# rpm -e sendmail

-Install new sendmail rpm
# rpm -ivh /usr/src/redhat/RPMS/i386/sendmail-8.9.3-20.i386.rpm

-Edit /etc/sendmail.mc, add:
LOCAL_CONFIG
Klinetoolong regex -a@MATCH ^.{60,}$

LOCAL_RULESETS
HDate: $>CheckDate

SCheckDate
R$*      $: $(linetoolong $1 $)
R@MATCH  $#error $: 553 Date Header too long error
R$*      $@ OK

-Be shure to include those tabs in the right places 

-Regenerate sendmail.cf
# m4 /etc/sendmail.mc > /etc/sendmail.cf

-Start sendmail
# /etc/rc.d/init.d/sendmail start
_________________________________

Now that your sendmail server run again and this to the configuration file /etc/sendmail.cf
( Thanks to Anthony Howe <achowe@xxxxxxxxx> )

##### DON'T FORGET TO PUT TAB AND NOT SPACE ####
##### VIRUS -> W32.sircam #####
HContent-Type:          $>CheckContentType
HContent-Disposition:   $>CheckContentDisposition
HX-MIMEOLE:             $>ChecksForWorms

KSirCamWormMarker regex -f -aSUSPECT multipart/mixed;boundary=---.+_Outlook_Express_message_boundary

SCheckContentType
R$+     $:$(SirCamWormMarker $1 $)
RSUSPECT        $#error $:"553 Refuse - Virus W32.sircam detecte"

SCheckContentDisposition
RMultipart message      $#error $:"553 Refuse - Virus W32.sircam detecte"
SCheckForWorms
R$+     $#error $:"553 Refuse - Virus W32.sircam detecte"
#####################################

Now restart the sendmail server and have fun with this command :

tail -f /var/log/maillog | grep W32.sircam &

You will see all the mail that is reject because of sircam...

I wish it will help some of you out there....

Regards
Cédric

Prev by Subject: Re: Thanks rajatSharma(blank mail)Minix Ideas/Suggestions Anyone...
Next by Subject: Tomorrow's headline
Previous by thread: Re: [LIG] kernel.org mirror
Next by thread: simple ftp problem
Index(es):
- Subject
- Thread