Most recent of which causing havoc is the Nyxem.E (aliases: Email-Worm.Win32.Nyxem.e, Kama Sutra, W32/MyWife.d@MM) worm set to execute on the third of each month (e.g. February 3, 2006).
Here is a quick documentaion of what I have done to autoreject emails from ISPs that are generating rogue emails.
This setup has been used in Linux servers with Ensim installed, however it should be usable for others as well.
1. Requirements: MailScanner, Procmail, Sendmail, SquirrelMail
2. In "/etc/MailScanner/MailScanner.conf" check that the admin receives notification and should be the default unless you have changed it.
CODE
Send Notices = yes
3. Set the root email to be forwarded to a user email account in "/etc/aliases" and rebuild aliases by running `newaliases`, if you don't have it already setup to do so.
CODE
root: user@domain.tld
4. Set up a procmail filter for the user as below in "/home/virtual/domain.tld/home/user/.procmailrc" file.
CODE
:0:
* ^Subject:.*(Virus?|Warning: E-mail viruses detected)
Virus
* ^Subject:.*(Virus?|Warning: E-mail viruses detected)
Virus
5. Create a "Virus" folder from within SquirrelMail for the user.
6. Put the "sendmail_reject.sh" file in "/etc/cron.hourly".
CODE
#!/bin/bash
# sendmail_reject.sh
## Change variables as appropriate
FIELD='IP Address:'
VIRUS_EMAIL_FILE=/home/virtual/domain.tld/home/user/mail/Virus
EMAIL_ACCESS_FILE=/etc/mail/access
TMP_VIRUS_IP_FILE=/tmp/virus_ip.txt
MAX_COUNT=5
## Nothing to change below
/bin/grep "${FIELD}" $VIRUS_EMAIL_FILE | /usr/bin/tr -d ' ' | /bin/awk -F : '{print $2}' | sort | uniq -c > $TMP_VIRUS_IP_FILE
IP=`awk -F " " -v max="$MAX_COUNT" '{if ( $1 >= max ) print $2}' ${TMP_VIRUS_IP_FILE}`
for x in $IP
do
grep "$x" $EMAIL_ACCESS_FILE
if [ $? -ne 0 ]; then
echo "# added on: `date`" >> $EMAIL_ACCESS_FILE
echo "${x} REJECT" >> $EMAIL_ACCESS_FILE
fi
done
/usr/bin/makemap hash ${EMAIL_ACCESS_FILE}.db < $EMAIL_ACCESS_FILE
# Uncomment the line below to keep a history
#/bin/cp -a $VIRUS_EMAIL_FILE ${VIRUS_EMAIL_FILE}_`date +%s`
/bin/cat /dev/null > $VIRUS_EMAIL_FILE
# sendmail_reject.sh
## Change variables as appropriate
FIELD='IP Address:'
VIRUS_EMAIL_FILE=/home/virtual/domain.tld/home/user/mail/Virus
EMAIL_ACCESS_FILE=/etc/mail/access
TMP_VIRUS_IP_FILE=/tmp/virus_ip.txt
MAX_COUNT=5
## Nothing to change below
/bin/grep "${FIELD}" $VIRUS_EMAIL_FILE | /usr/bin/tr -d ' ' | /bin/awk -F : '{print $2}' | sort | uniq -c > $TMP_VIRUS_IP_FILE
IP=`awk -F " " -v max="$MAX_COUNT" '{if ( $1 >= max ) print $2}' ${TMP_VIRUS_IP_FILE}`
for x in $IP
do
grep "$x" $EMAIL_ACCESS_FILE
if [ $? -ne 0 ]; then
echo "# added on: `date`" >> $EMAIL_ACCESS_FILE
echo "${x} REJECT" >> $EMAIL_ACCESS_FILE
fi
done
/usr/bin/makemap hash ${EMAIL_ACCESS_FILE}.db < $EMAIL_ACCESS_FILE
# Uncomment the line below to keep a history
#/bin/cp -a $VIRUS_EMAIL_FILE ${VIRUS_EMAIL_FILE}_`date +%s`
/bin/cat /dev/null > $VIRUS_EMAIL_FILE
7. Add the below line at the bottom of the "/etc/mail/access" file for tracking purpose.
CODE
# Auto REJECT via hourly cron
That should be it. Please understand the whole process before trying to accomplish the same.