PDA

View Full Version : Virus e-mails



Armadillo
09-06-2003, 01:28 AM
Howdy.

I keep getting virus e-mails bounced to me, but I did not send them. The "from" part of the e-mails has my e-mail address. My computer is virus free.
I know there is a virus out there that sends itself as other people from your address book. I'm gussing someone who has my e-mail address is infected with this virus.

Is anyone else getting these messages?

Is there anything I can do about it? Is it possible to change my e-mail addresses so that the one in question is not valid so that I can stop recieving them?

FZ
09-13-2003, 05:21 PM
Hi Armadillo

Sorry for the late reply, only noticed this now. Check out: http://forums.westhost.com/phpBB2/viewtopic.php?t=239

Let me know if you need specific help with it...

Armadillo
09-13-2003, 11:55 PM
Thanks Fayez. That's great!
I'll give it a try.
I'm on 2.0 though, so I dont know if it will function. References to the mail server (westhost35) will have to change. I think my server, as shown in e-mail headers, is my domain. And I'm not exactly sure where to put the file on the server.

I may just try to make a .procmailrc to delete spam and viral attachments. Maybe....


LOGFILE=$home/proclog.log
:0
* ^X-Spam-Status: Yes
/dev/null

:0
* ^Content-Type: MULTIPART/MIXED
{
:0B
* ^Content-Disposition: (attachment|inline);
* filename=\/".*\.(bat|pif|com|vbs|scr)"
/dev/null
}

:0
${DEFAULT}

:?

FZ
09-14-2003, 10:48 AM
Armadillo,

Glad to help. I have two accounts - one on "1.0" and the other on 2.0. Everything in that post refers to my 1.0 account, as you noticed. However, it should all function properly on 2.0. There are just a couple of differences I want to point out to you before you start pulling your hair out:

1. .procmailrc on 2.0 goes in / not /home/username (except for non-root accounts - i.e. secondary FTP accounts).
2. Logging does not seem to work properly with the way I defined it in that post... I suggest you use the following in your .procmailrc instead of just LOGFILE...


MAILDIR=/
LOGFILE=/.procmaillog
LOGABSTRACT=YES
SHELL=/bin/sh


That way, if you decide to filter mail to a mailbox file, it will be saved in the root directory (you could save it in mail/ if you want to be able to use Pine to read it). Your log file will be called .procmaillog and will also be saved in / Not quite sure what logabstract does, but without it (on 2.0) nothing is logged!

The "westhost35" references mail that has a To:, From: or Message-ID: with @westhost35... in it - this is almost always spam (don't worry, WestHost never sends mail from your server). As you said, this will probably need to be changed. Just have a look at the headers above on spam you receive and see if they ever have a suspicious To:, From: or Message-ID: that does not match your domain.

And this:


:0:
* ! ^From: Mail Delivery Subsystem <MAILER-DAEMON@westhost35.westhost.net>
* ^Subject.*Undeliver(ed|able) ((e)?mail|message)|^Subject.*returned (mail|message)|^Subject.*mail delivery|^Subject.*mail (delivery|system)|^Subject.*delivery ((status)? notification|failure)|^Subject.*failure notice|^Subject.*daemon|^Subject.*(virus found|found virus|virus detected|detected a virus|virus alert|failed to clean virus|unrepairable|viruses|virus in your mail|network associates webshield|potentially unsafe content)
mail/Virus-Epidemic

Is what will take care of the bounced mail that you did not send. Just make sure to change Mail Delivery Subsystem <MAILER-DAEMON@westhost35.westhost.net> - the reference to your own mailer-daemon. Change it to suit exactly what your own mailer-daemon's from looks like. And a side note, this will probably filter legit mail bounces too - but only those that the other person's mailer-daemon sends back to you...

I recommend you initially move all that mail to a file instead of straight to trash - you do not want to trash all your legitimate mail by accident! Lastly, you should have a second colon on the last condition:


:0:
${DEFAULT}

You should have one on the ^X-Spam... one too. I think the only time you do not use a second colon is where you have nested conditions (like you do with that attacments one) - leave it out on the first :0 of the condition, but have it for subsequent ones - and when you are using Procmail to forward mail.

Hope that helps. Good luck! Let me know how it goes.