The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

Борьба с червями на примере SirCam (фильтрация писем по содержимому тела письма и заголовкам) (sendmail mail postfix qmail filter procmail example)


<< Предыдущая ИНДЕКС Поиск в статьях src Установить закладку Перейти на закладку Следующая >>
Ключевые слова: sendmail, mail, postfix, qmail, filter, procmail, example,  (найти похожие документы)
From: opennet.ru Subj : Борьба с червями на примере SirCam (фильтрация писем по содержимому тела письма и заголовкам) ________________________________________________________________________________ В статье приводятся примеры кода блокировки распространения сетевого червя SirCam для procmail, sendmail, postfix и qmail. --------------------------------------------------------------------------------- PROCMAIL: --------------------------------------------------------------------------------- Первый вариант фильтрации через procmail: # Filtering for Sircam virus # by morcego and Elgio Schlemer # For usage on /etc/procmailrc # :0 HB * ^Content-Type: application/mixed; name=.*\..*(\.com|\.lnk|\.pif|\.exe|\.bat)"?$ { :0 c | (formail -r -i"From: antivirus - SirCam virus detected <antivirus@liveware.com.br>" -A"X-Loop: antivirus";\ cat /etc/mail/virus-sircam.msg)|$SENDMAIL -oi -t :0 /dev/null } Другой вариант решения проблемы через procmail (для помещения в /etc/procmailrc или ~/.procmailrc) :0 Bh *I send you this file in order to have your advice *daeLRCQEM9KJEIN8JAwAdBmLRCQEi1QkCIkQi0\QkDCtEJAiLVCQEiUIEg8QUXV9eW8NTVldV |(formail -rtb -I "Precedence: junk" \ -I "Subject: SirCam Virus Spam Worm"; \ echo "Your computer is infected with the SirCam worm. Please see"; \ echo "http://www.wired.com/news/technology/0,1282,45427,00.html for more information.")\ |$SENDMAIL -oi -t Третий вариант: В procmailrc: SUBJECT=`formail -xSubject: \ | sed -e 's/[;\`\\]/ /g' \ | expand | sed -e 's/^[ ]*//g' -e 's/[ ]*$//g'` :0 B: * $ ^Content-Type: application/mixed; name=.*"$SUBJECT".* { :0 hc: * ^X-Mailer: Microsoft * ^Content-Type: multipart/mixed; | (formail -r -I "Subject: \"SirCam\" Worm Warning"; \ echo "Your machine appears to be infected with the "; echo "\"SirCam\" Email Worm. As a result, you sent me a file "; \ echo "called \"$SUBJECT\" which also contains this worm. "; \ echo; \ echo "Please see "; \ echo "http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html "; \ echo "for instructions on how to remove the worm."; \ ) | $SENDMAIL -t :0: /dev/null } --------------------------------------------------------------------------------- SENDMAIL: --------------------------------------------------------------------------------- LOCAL_RULESETS HContent-Type: $>CheckContentType HContent-Disposition: $>CheckContentDisposition HX-MIMEOLE: $>CheckForWorms ######################################################################### # # w32.sircam.worm@mm # # There are serveral patterns that appear common ONLY to SirCam worm and # not to Outlook Express, which claims to have sent the worm. There are # four headers that always appear together and in this order: # # X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 # X-Mailer: Microsoft Outlook Express 5.50.4133.2400 # Content-Type: multipart/mixed; boundary="----27AA9124_Outlook_Express_message_boundary" # Content-Disposition: Multipart message # # Empirical study of the worm message headers vs. true Outlook Express # (5.50.4133.2400 & 5.50.4522.1200) messages with multipart/mixed attachments # shows Outlook Express does: # # a) NOT supply a Content-Disposition header for multipart/mixed messages. # b) NOT specify the header X-MimeOLE header name in all-CAPS. # c) NOT specify boundary tag with the expression "_Outlook_Express_message_boundary" # # The solution below catches any one of this three issues. This is not an ideal # solution, but a temporary measure. A correct solution would be to check for # the presence of ALL three header attributes. Also the solution is incomplete # since Outlook Express 5.0 and 4.0 were not compared. # ######################################################################### KSirCamWormMarker regex -f -aSUSPECT multipart/mixed;boundary=----.+_Outlook_Express_message_boundary SCheckContentType R$+ $: $(SirCamWormMarker $1 $) RSUSPECT $#error $: "553 Possible virus, see http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html" SCheckContentDisposition RMultipart message $#error $: "553 Possible virus, see http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html" SCheckForWorms R$+ $#error $: "553 Possible virus, see http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html" ------------------------------------------------------------------------------- QMAIL: --------------------------------------------------------------------------------- Проблема решается утановкой последней версии внешнего фильтра qmail-scanner ( http://qmail-scanner.sourceforge.net/ ) ------------------------------------------------------------------------------- POSTFIX: --------------------------------------------------------------------------------- Простейший вариант: /etc/postfix/main.cf: body_checks = regexp:/etc/postfix/body_checks /etc/postfix/body_checks: /^Hi! How are you=3F$/ REJECT /^Hola como estas =3F$/ REJECT Наиболее правильное решение, подходит не только для SirCam, но и других червей. /etc/postfix/main.cf: header_checks = regexp:/etc/postfix/header.regexp /etc/postfix/header.regexp: /^Content-Type:multipart.*"----[A-F0-9]+_Outlook_Express_message_boundary"/i REJECT /^Content-Disposition: Multipart message/i REJECT /^Content-Disposition: attachment; filename=".*\.(doc|zip|exe|xls|jpg|gif)\.(pif|bat|com|exe|lnk)"$/i REJECT /^Content-Disposition: attachment; filename=.*\.(doc|zip|exe|xls|jpg|gif)\.(pif|bat|com|exe|lnk)$/i REJECT -------------------------------------------------------------------------

<< Предыдущая ИНДЕКС Поиск в статьях src Установить закладку Перейти на закладку Следующая >>

 Добавить комментарий
Имя:
E-Mail:
Заголовок:
Текст:




Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру