1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
|
# $Id: VirusBounceSpew.pm,v 1.9 2004/09/23 15:11:13 tvierling Exp $
#
# Copyright (c) 2002-2004 Todd Vierling <tv@pobox.com> <tv@duh.org>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# 3. Neither the name of the author nor the names of contributors may be used
# to endorse or promote products derived from this software without specific
# prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
package Mail::Milter::Module::VirusBounceSpew;
use 5.006;
use base Exporter;
use base Mail::Milter::Object;
use strict;
use warnings;
use Carp;
use Sendmail::Milter 0.18; # get needed constants
our $VERSION = '0.01';
=pod
=head1 NAME
Mail::Milter::Module::VirusBounceSpew - milter to reject antivirus messages typically sent to forged "senders"
=head1 SYNOPSIS
use Mail::Milter::Module::VirusBounceSpew;
my $milter = new Mail::Milter::Module::VirusBounceSpew;
my $milter2 = &VirusBounceSpew; # convenience
=head1 DESCRIPTION
This module rejects messages at the DATA phase by searching for known
signs of misconfigured antivirus software. An increasing problem on the
Internet as of this writing is a tendency for viruses and trojans to send
mail with a forged envelope from address. This is triggering antivirus
warning messages back to these forged senders.
=head1 METHODS
=over 4
=cut
our @EXPORT = qw(&VirusBounceSpew);
sub VirusBounceSpew {
new Mail::Milter::Module::VirusBounceSpew(@_);
}
=pod
=item new()
Creates a VirusBounceSpew milter object. The match rules are internally
hardcoded and may be examined by reading the module source.
=cut
sub new ($$;@) {
my $this = Mail::Milter::Object::new(shift);
$this->{_message} = 'Antivirus warning messages are not accepted here. Please configure your antivirus software not to send warning messages to forged senders!';
$this;
}
=pod
=item set_message(MESSAGE)
Sets the message used when rejecting messages.
This method returns a reference to the object itself, allowing this method
call to be chained.
=cut
sub set_message ($$) {
my $this = shift;
$this->{_message} = shift;
$this;
}
sub header_callback {
my $this = shift;
my $ctx = shift;
my $hname = shift;
my $header = "$hname: ".(shift);
if (
$header =~ /^From: amavisd(?:-new)? <postmaster\@/i ||
$header =~ /^From: MailMarshal\@\s+$/ ||
$header =~ /^Subject: ACHTUNG! Sie haben eine mit einem Virus/ ||
$header =~ /^Subject: Antigen found VIRUS=/ ||
$header =~ /^Subject: AVISO DE VIRUS / ||
$header =~ /^Subject: Warning: antivirus system report$/ ||
$header =~ /^Subject: Disallowed attachment type found in sent message/ ||
$header =~ /^Subject: Email violation detected in an email you sent/ ||
$header =~ /^Subject: Failed to clean virus file/ ||
$header =~ /^Subject: Filter scan result notification from / ||
$header =~ /^Subject: Illegal attachment type found in sent message/ ||
$header =~ /^Subject: InterScan NT Alert$/ ||
$header =~ /^Subject: Mail delivery failed \(virus detected\)/ ||
$header =~ /^Subject: MDaemon (Notification -- Attachment Removed|Warning - Virus Found)/ ||
$header =~ /^Subject: Norton AntiVirus detected (and quarantined )?a virus/ ||
$header =~ /^Sublect: Panda Antivirus Platinum warning$/i ||
$header =~ /^Subject: Returned due to virus; was:/ ||
$header =~ /^Subject: Spam mail warning notification/ ||
$header =~ /^Subject: Virenwarnung$/ ||
$header =~ /^Subject: Virus detected$/ ||
$header =~ /^Subject: Virus Detected by Network Associates/ ||
$header =~ /^Subject: (?:MailMarshal|Symantec Mail Security) (?:has )?detected / ||
$header =~ /^Subject: (?:Warning *[:!-]* *)?(?:E-mail )?Virus(?:es)? (Alert|Detected|Found)/i ||
0) {
my $msg = $this->{_message};
if (defined($msg)) {
$ctx->setreply('554', '5.7.1', $msg);
}
return SMFIS_REJECT;
}
SMFIS_CONTINUE;
}
1;
__END__
=back
=head1 BUGS
The rules could be much simpler, but at risk of catching legit mail.
A future release will simplify the regex tests.
=head1 AUTHOR
Todd Vierling, E<lt>tv@duh.orgE<gt> E<lt>tv@pobox.comE<gt>
=head1 SEE ALSO
L<Mail::Milter::Object>
=cut
|
