The Planet Forums > Howto: Quick and dirty SoBig.f blocking

Full Version: Howto: Quick and dirty SoBig.f blocking

The Planet Forums > Control Panels > cPanel/WHM > Cpanel/WHM HOWTOs

x222943

Aug 21 2003, 02:44 PM

There are many more, cleaner, more robust ways to block these emails.. but when you, and several of your users are receiving in excess of 100 emails per hour, the quick and dirty always works.

First, type

pico -w /etc/antivirus.exim

Then, copy and paste this to the top of the file: (or anywhere)

CODE

## -----------------------------------------------------------------------

# Blocking for W32.Sobig.F@mm

if $header_subject: matches "Re: Approved|Re: Details|Re: My details|Re: Thank you!|Re: That movie|Re: Wicked screensaver|Re: Your application"

then

fail text "This message has been rejected since it hasn

the signature of a known virus (W32.Sobig.F@mm) in the subject header.n

If you believe this bounce message is in error, Pleasen

change the subject field of your email and re-send.n

The URL below has more information on W32.Sobig.F@mm:n

[url="http://www.securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html"]http://www.securityresponse.symantec.com/a...big.f@mm.html"[/url]

seen finish

endif

if $message_body matches "See the attached file for details|Please see the attached file for details"

then

fail text "This message has been rejected since it hasn

the signature of a known virus (W32.Sobig.F@mm)in the message body.n

If you believe this bounce message is in error, Pleasen

change the message body of your email and re-send.n

The URL below has more information on W32.Sobig.F@mm:n

[url="http://www.securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html"]http://www.securityresponse.symantec.com/a...big.f@mm.html"[/url]

seen finish

endif

## -----------------------------------------------------------------------

After that, Type:

ctrl + x to save and exit

Then:

service exim restart

Works very well, but is not meant to be permanent as it may also filter some legitimate email.

REBIS

Aug 21 2003, 03:33 PM

I propose a down & dirtier method...

Let's find the SOB who wrote this PITA worm and kick his a**!

raventec2

Aug 21 2003, 06:15 PM

Thanks for that x222943. Seems to be working just fine

REBIS, ROFL Can we put them on webcam and charge $9.95 through paypal? I'm sure ALOT of people would want to watch!

DanDanFireMan

Aug 21 2003, 07:28 PM

Sorry, can't read

Devain

Aug 21 2003, 11:21 PM

Hello

I tried this code and it stores the files in the cpanel mail que and never get sent out is there a way to also delete these as they come in and also when I attempt to deliver all messages in que I get this error

LOG: MAIN PANIC
Error in system filter: quote missing at end of string in line 1
LOG: MAIN PANIC
Error in system filter: quote missing at end of string in line 1
LOG: MAIN PANIC
Error in system filter: quote missing at end of string in line 1
LOG: MAIN PANIC
Error in system filter: quote missing at end of string in line 1
LOG: MAIN PANIC
Error in system filter: quote missing at end of string in line 1
LOG: MAIN PANIC
Error in system filter: quote missing at end of string in line 1
LOG: MAIN PANIC
Error in system filter: quote missing at end of string in line 1
LOG: queue_run MAIN
End queue run: pid=8949

any ideas

raventec2

Aug 21 2003, 11:25 PM

How about just using a crontab to delete it?

x222943

Aug 22 2003, 02:16 AM

Devain, I'm using the above code, exactly as posted on Exim 4.20-320. Be sure you copied it exactly. It sounds like you just missed one of the quotes.

REBIS

Aug 22 2003, 03:01 AM

QUOTE

Originally posted by raventec2

REBIS, ROFL Can we put them on webcam and charge $9.95 through paypal? I'm sure ALOT of people would want to watch!

Sure thing, but I could use a partner...interested? I already registered the perfect dom:

www.KickYourWormyButtOnline.com.

That's the ticket...an A/V vigilante mob! I'd ring-up Charles Bronson, but at 83, I don't think he'd be up for "Digital Death Wish I".

-Reb

raventec2

Aug 22 2003, 03:24 AM

Heheh, You bet I'm in REBIS. Hmm.. maybe we could get someone else and Charles Bronson might be willing to make a cameo apearance?

Showparts

Aug 22 2003, 09:45 AM

Works great! Very helpful. Thanks for the post!

REBIS

Aug 22 2003, 10:46 AM

QUOTE

Originally posted by raventec2
Heheh, You bet I'm in REBIS. Hmm.. maybe we could get someone else and Charles Bronson might be willing to make a cameo apearance?

Great! I knew I could count on you, ravenmeister. I'll have my atty draw up the LLC and we'll do lunch. Maybe Laurence Fishburne ala Morpheus would be more appropriate.

MrLister

Aug 22 2003, 06:36 PM

I'm getting the same error as above and i put in perfectly.

MrLister

Aug 22 2003, 06:43 PM

If i put down just

if $header_subject: matches "Re: Approved|Re: Details|Re: My details|Re: Thank you!|Re: That movie|Re: Wicked screensaver|Re: Your application"
then
fail text "This message has been rejected since it hasn
the signature of a known virus (W32.Sobig.F@mm) in the subject header.n
If you believe this bounce message is in error, Pleasen
change the subject field of your email and re-send.n
The URL below has more information on W32.Sobig.F@mm:n
http://www.securityresponse.symantec.com/a...sobig.f@mm.html"
seen finish
endif

if $message_body matches "See the attached file for details|Please see the attached file for details"
then
fail text "This message has been rejected since it hasn
the signature of a known virus (W32.Sobig.F@mm)in the message body.n
If you believe this bounce message is in error, Pleasen
change the message body of your email and re-send.n
The URL below has more information on W32.Sobig.F@mm:n
http://www.securityresponse.symantec.com/a...sobig.f@mm.html"
seen finish
endif

Then it works so it's something with your commenting that makes it stop working.

freddo

Aug 22 2003, 07:35 PM

if you use "seen finish" then the email is blackholed - so all that text destined for the sender is useless.

sobig is blocked by exim anyway. it just gets caught in the mailqueue because there are no vlaid return address.

Better soln (from cPanel forum):
TO REMOVE .exe, .scr, .pif, .ad[ep] from the mailqueue

this affects email that has a virus file and no valid return address.
antivirus.exim attempts to return virus files (with a nice message)
where the return-to address is invalid - they get stuck in queue.

if it's not the first delivery, then blackhole (seen finish) any email with attachment .ad[ep],.scr,.pif,.exe.
else check for an attachment and return to sender if there is one.

In /etc/antivirus.exim, before the section:

CODE

*** START CONF FILE TEXT ***

## -----------------------------------------------------------------------

# Only run any of this stuff on the first pass through the

# filter - this is an optomisation for messages that get

# queued and have several delivery attempts

#

# we express this in reverse so we can just bail out

# on inappropriate messages

#

if not first_delivery

then

# Look for .pif, .scr or .exe in files and REMOVE them!

if $header_content-type: matches "(?:file)?name=("[^"]+.(?:ad[ep]|exe|pif|scr)")"

then

seen finish

endif

# same again using unquoted filename [content_type_unquoted_fn_match]

if $header_content-type: matches "(?:file)?name=(S+.(?:ad[ep]|exe|pif|scr))"

then

seen finish

endif

## -----------------------------------------------------------------------

# Look for .pif, .scr or .exe in files and REMOVE them!

# Quoted filename - [body_quoted_fn_match]

if $message_body matches "(?:Content-(?:Type:(?>s*)[w-]+/[w-]+|Disposition:(?>s*)attachment);(?>s*)(?:file)?name=|begin(?>s+)[0-7]{3,4}(?>s+))("[^"]+.(?:ad[ep]|exe|pif|scr)")[s;]"

then

seen finish

endif

# same again using unquoted filename [body_unquoted_fn_match]

if $message_body matches "(?:Content-(?:Type:(?>s*)[w-]+/[w-]+|Disposition:(?>s*)attachment);(?>s*)(?:file)?name=|begin(?>s+)[0-7]{3,4}(?>s+))(S+.(?:ad[ep]|exe|pif|scr))[s;]"

then

seen finish

endif

finish

endif

x222943

Aug 22 2003, 07:57 PM

QUOTE

...I wish. Exim is worthless.. every upgrade they remove @#!@#!@#!@#! with no warning, change directives.. I'd take sendmail over it if i had a choice..

Ivan

Aug 22 2003, 08:19 PM

QUOTE

Originally posted by REBIS
I propose a down & dirtier method...

Let's find the SOB who wrote this PITA worm and kick his a**!

I think they should string him up by the testiculars.

raventec2

Aug 22 2003, 08:44 PM

Yeah, I don't think we want this person breeding, but can we let him clean out all these "Warning: E-mail viruses detected" from my inbox and everyone elses first? For some reason the patch that was working stopped working

freddo

Aug 22 2003, 09:11 PM

QUOTE

Originally posted by x222943
...I wish. Exim is worthless.. every upgrade they remove @#!@#!@#!@#! with no warning, change directives.. I'd take sendmail over it if i had a choice..

IMHO Exim is LOTs better than sendmail. Lots of things that I had to do to sendmail are already done in exim - much better. However you can't just whack a bunch of code into a file "anywhere" and expect it to work. The code you posted is incorrectly written and definitely shouldn't be "pasted in anywhere". The correct code is what I posted and it should be placed where i said. I have no virus's in queue and none being delivered to inboxes on my server.

You can't blame Exim because you don't know what you're doing.

raventec2

Aug 22 2003, 09:35 PM

I know sendmail better than exim, but I think exim shows more promise. I definitely don't understand exim yet.
It's kind of getting obvious that something in my exim configuration is hosed, because neither one of these method's are working for me.
I think I'm going to start with a fresh exim because I'm getting creamed right now.
I'd much rather take the time to muddle through and fix whatever is broken, but after being up over 3 days I doubt I could find it.

raventec2

Aug 23 2003, 11:18 AM

freddo, I'm unclear on where your code goes. When I try to process the mail queue, I keep getting this error:
"LOG: MAIN PANIC
Error in system filter: unexpected "endif" command near line 70 of filter file"
I'm pretty sure I've just got it in the wrong place. My queue is getting pretty large though.

freddo

Aug 23 2003, 04:45 PM

In the first 4 lines of CODE between:
if not first_delivery
then

AND

finish
endif

In my post just cut and paste the code between those lines - don't include them again. I only included that portion of the file (that is already there) so people could see where to add the NEW code.

raventec2

Aug 23 2003, 04:53 PM

Thanks much freddo! I was being TOO literal with the code and got myself muddled up with asking myself too many questions and trying to learn exim at the same time.

freddo

Aug 23 2003, 05:12 PM

Don't forgat to:
service exim stop
service exim start
after saving the file. A restart is not enough with Exim.

raventec2

Aug 24 2003, 07:55 AM

That's something I didn't know :eek:
Everything seems to be working ok now. Thanks again

Devain

Aug 25 2003, 12:57 AM

hello again

I would like to thank you for your reply and sorry for my late reply. The code worked fine you are right the code was just copied wrong.

what I have been trying to do is install mailscanner on my two rackshack boxes that have cpanel's latest and exim's latest. The problem I am having is that when I install everything the server processes the incoming email fine but there always seems to be errors when sending email to certian mail domains from scripts so I am not even sure if I am receiving all my mail.

right now I have it installed back to default exim settings

this is the guide I used don't know why it would cause problems with sending mail. If you used this any suggestions would be helpful.

Exim 4.20 + MailScanner + Clam AV Full Guide for Cpanel 7.x

http://www.cpanelplus.com/staticpages/inde...003073009541160

Anyway enough babble from me

Much appericated

Devain

eth00

Aug 28 2003, 07:06 AM

I keep having somebody relay stuff though my cpanel server using some phpbulkmailer software and a domain that is setup on my box. Is it possible to look at the headers and just delete any email with a certain string? It looks like the code I would need is posted above, just with slightly different headers.

I really hate when 10,000 + pieces of mail go though exim+mailscanner it lags the entire system and I have to keep flushing the que. As far as cpanel is concerned it "should" be secure and I know the owner of the domain is not sending the spam out.

Thanks for any help you can give.

*edit* for now I just set a 30 email per hour sending limit which works decent enough, but this seems like a really good way to implement what I need. Again thanks

robertk1

Sep 2 2003, 06:39 PM

Is there a script or addon for ensim that will relay emails with .scr or .pif attachments to blackhole?

OR, is there an easy way to have the system simply delete any .scr or .pif attachments while bouncing a short message back to the sender?

Thanks!

lowspeed

Sep 5 2003, 12:58 AM

QUOTE

Originally posted by freddo
if you use "seen finish" then the email is blackholed - so all that text destined for the sender is useless.

sobig is blocked by exim anyway. it just gets caught in the mailqueue because there are no vlaid return address.

Better soln (from cPanel forum):
TO REMOVE .exe, .scr, .pif, .ad[ep] from the mailqueue

this affects email that has a virus file and no valid return address.
antivirus.exim attempts to return virus files (with a nice message)
where the return-to address is invalid - they get stuck in queue.

if it's not the first delivery, then blackhole (seen finish) any email with attachment .ad[ep],.scr,.pif,.exe.
else check for an attachment and return to sender if there is one.

In /etc/antivirus.exim, before the section:
CODE
*** START CONF FILE TEXT ***

## -----------------------------------------------------------------------

# Only run any of this stuff on the first pass through the

# filter - this is an optomisation for messages that get

# queued and have several delivery attempts

#

# we express this in reverse so we can just bail out

# on inappropriate messages

#

if not first_delivery

then

# Look for .pif, .scr or .exe in files and REMOVE them!

if $header_content-type: matches "(?:file)?name=("[^"]+.(?:ad[ep]|exe|pif|scr)")"

then

seen finish

endif

# same again using unquoted filename [content_type_unquoted_fn_match]

if $header_content-type: matches "(?:file)?name=(S+.(?:ad[ep]|exe|pif|scr))"

then

seen finish

endif

## -----------------------------------------------------------------------

# Look for .pif, .scr or .exe in files and REMOVE them!

# Quoted filename - [body_quoted_fn_match]

if $message_body matches "(?:Content-(?:Type:(?>s*)[w-]+/[w-]+|Disposition:(?>s*)attachment);(?>s*)(?:file)?name=|begin(?>s+)[0-7]{3,4}(?>s+))("[^"]+.(?:ad[ep]|exe|pif|scr)")[s;]"

then

seen finish

endif

# same again using unquoted filename [body_unquoted_fn_match]

if $message_body matches "(?:Content-(?:Type:(?>s*)[w-]+/[w-]+|Disposition:(?>s*)attachment);(?>s*)(?:file)?name=|begin(?>s+)[0-7]{3,4}(?>s+))(S+.(?:ad[ep]|exe|pif|scr))[s;]"

then

seen finish

endif

finish

endif

Could you explain which code to add and where?

got confused by the wording: "In /etc/antivirus.exim, before the section:"

Thanks !

freddo

Sep 6 2003, 11:58 PM

QUOTE

Originally posted by lowspeed
Could you explain which code to add and where?

got confused by the wording: "In /etc/antivirus.exim, before the section:"

Thanks !

Sorry, very bad wording - I mean't look in antivirus.exim and add the code in the appropriate spot. I went into more detail further up.

lowspeed

Sep 7 2003, 02:20 AM

I found an easier way to avoid the queue fillup due to fake email address originated from viruses.

bassicly you add the keyword "noerror" before fail this way even if its failed attempt to deliver it will not try again.

in the antivirus.exim:

CODE

## -----------------------------------------------------------------------

# Only run any of this stuff on the first pass through the

# filter - this is an optomisation for messages that get

# queued and have several delivery attempts

#

# we express this in reverse so we can just bail out

# on inappropriate messages

#

if not first_delivery

then

finish

endif

## -----------------------------------------------------------------------

# Check for MS buffer overruns as per BUGTRAQ.

# [url]http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61[/url]

# This could happen in error messages, hence its placing

# here...

# We substract the first n characters of the date header

# and test if its the same as the date header... which

# is a lousy way of checking if the date is longer than

# n chars long

if ${length_80:$header_date:} is not $header_date:

then

noerror fail text "This message has been rejected because it hasn

an overlength date field which can be usedn

to subvert Microsoft mail programsn

The following URL has further informationn

[url]http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D61[/url]"

seen finish

endif

## -----------------------------------------------------------------------

# These messages are now being sent with a <> envelope sender, but

# blocking all error messages that pattern match prevents

# bounces getting back.... so we fudge it somewhat and check for known

# header signatures. Other bounces are allowed through.

if $header_from: contains "@sexyfun.net"

then

noerror fail text "This message has been rejected since it hasn

the signature of a known virus in the header."

seen finish

endif

if error_message and $header_from: contains "Mailer-Daemon@"

then

# looks like a real error message - just ignore it

finish

endif

## -----------------------------------------------------------------------

# Look for single part MIME messages with suspicious name extensions

# Check Content-Type header using quoted filename [content_type_quoted_fn_match]

if $header_content-type: matches "(?:file)?name=("[^"]+.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])")"

then

noerror fail text "This message has been rejected because it hasn

potentially executable content $1n

This form of attachment has been used byn

recent viruses or other malware.n

If you meant to send this file then pleasen

package it up as a zip file and resend it."

seen finish

endif

# same again using unquoted filename [content_type_unquoted_fn_match]

if $header_content-type: matches "(?:file)?name=(S+.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))"

then

noerror fail text "This message has been rejected because it hasn

potentially executable content $1n

This form of attachment has been used byn

recent viruses or other malware.n

If you meant to send this file then pleasen

package it up as a zip file and resend it."

seen finish

endif

## -----------------------------------------------------------------------

# Attempt to catch embedded VBS attachments

# in emails. These were used as the basis for

# the ILOVEYOU virus and its variants - many many varients

# Quoted filename - [body_quoted_fn_match]

if $message_body matches "(?:Content-(?:Type:(?>s*)[w-]+/[w-]+|Disposition:(?>s*)attachment);(?>s*)(?:file)?name=|begin(?>s+)[0-7]{3,4}(?>s+))("[^"]+.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])")[s;]"

then

noerror fail text "This message has been rejected because it hasn

a potentially executable attachment $1n

This form of attachment has been used byn

recent viruses or other malware.n

If you meant to send this file then pleasen

package it up as a zip file and resend it."

seen finish

endif

# same again using unquoted filename [body_unquoted_fn_match]

if $message_body matches "(?:Content-(?:Type:(?>s*)[w-]+/[w-]+|Disposition:(?>s*)attachment);(?>s*)(?:file)?name=|begin(?>s+)[0-7]{3,4}(?>s+))(S+.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[s;]"

then

noerror fail text "This message has been rejected because it hasn

a potentially executable attachment $1n

This form of attachment has been used byn

recent viruses or other malware.n

If you meant to send this file then pleasen

package it up as a zip file and resend it."

seen finish

endif

## -----------------------------------------------------------------------

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.