Solved

Remove infected virus attachment and substitute another message body

Posted on 2004-03-28
18
1,109 Views
Last Modified: 2007-11-27
I have a good working setup of ClamAV that catches email viruses very well (several a day lately!).  Right now my system sends all infected mail to /dev/null/.  Everything works great that way.

What I would like to do is to send the intended RECIPIENT of the message a note that a message arrived infected and was deleted before it got to his inbox.  (Note:  NOT the sender!)  

No problem for me to change the SUBJECT to "VIRUS FOUND - CONTENT DELETED".  That part is easy.

What I want to do is to REPLACE both the body and attachment with a few lines explaining what happened and then send the mail on to the recipient's mailbox with the headers as they were (WITHOUT the body and file attached of course.)

I think this can be done within the recipe that identifies that a viruse was found BEFORE (or in place of) sending it on to the /dev/null...  here is that part of my .procmailrc file:
--------------------
:0fw
| /usr/local/bin/clamassassin

:0:
* ^X-Virus-Status: Yes    # a virus was present - we need to send the recipient
                                     # a note with the original  headers that a virus was
                                     # found and removed!
/dev/null/                       # FOR NOW we will just remove the whole thing

----------------------

Thanks!

Richard
0
Comment
Question by:rbartz
  • 7
  • 4
  • 4
  • +1
18 Comments
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10698277
This is what the ClamAV FAQ has to say about the mail scanner:
"Disable the ScanMail directive in clamav.conf. Our internal mail scanner is still in high development. You'd  better rely upon the mime handling function of an external program (like qmail-scanner, exiscan, etc.)" (http://www.clamav.net/faq.html#pagestart)
You may be better off using Amavis (http://www.amavis.org) to create the interface between your mail server and ClamAV.

Do you really need the full headers of your original email? Would it be sufficient to have the original sender and the original subject? In general, most modern viruses have bogus senders and subjects anyway, so you don't really gain anything by retaining this information. I would just create a new message with some of of the original information in the message body.
If you want to retain the header (or, most of the header), try the formail tool that comes with procmail.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10698902
MailScanner (http://www.mailscanner.info) does this and can use ClamAV as a virus scanner. In addition the default config treats the dangerous file types (.exe, .com, .scr, etc.) as viruses and quarantines them. That helps to protect against a newly released virus for which there isn't yet a virus defintion. And as a bonus, if you install SpamAssassin, you'll have a good anti-spam filter.
0
 
LVL 4

Author Comment

by:rbartz
ID: 10701499
I appreciate what you are both saying, but we have a working system.  

Currently we are running SpamBouncer on our mail server with the .procmailrc in each accounts home directory (quoted above) calling ClamAV with ClamAssassin.  As I said it works very well, although we are concerned that Catherine Hamptom cannot continue to support SpamBouncer by herself forever for nothing.

All I want to do is to send a note to recipients of emails that were deleted that another virus bit the dust.  You are right, I don't really need FULL headers, just the original From: and To: would be enough.

Hoping this helps,

Richard
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10702817
Look at formail (part of procmail), you can find examples about how to use it in the procmailex man page:

man procmailex
man formail

0
 
LVL 8

Accepted Solution

by:
da99rmd earned 125 total points
ID: 10703001
Here is the procmailrc you need

#Begin
:0fw
| /usr/local/bin/clamassassin

:0c
* ^X-Virus-Status: Yes    
# Mail loops are evil
* !^X-Loop: loop
| (formail -X From: -X To: ; \
                  echo "X-Loop: loop"; \
                  echo "Subject: Another virus stopped"; \
                  echo "Body text" \
                   ) | $SENDMAIL -t

:0c
* ^X-Virus-Status: Yes    
# Mail loops are evil
* !^X-Loop: loop
| (formail -r -A"X-Loop: loop" ;\
                 echo "Subject: Varning";
                 echo "You sent a virus to me plz conntact your admin.") | $SENDMAIL -t

:0:
* ^X-Virus-Status: Yes    # a virus was present - we need to send the recipient
                                     # a note with the original  headers that a virus was
                                     # found and removed!
/dev/null/                       # FOR NOW we will just remove the whole thing

#End
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10703084
Don't use X-Loop: loop - this is no unique ID, therefore your procmail will potentially flag normal emails as already seen, and will not process them with these rules. Use your own email address:
X-Loop: email@server.com
Replace all instances of X-Loop: loop with this.
0
 
LVL 4

Author Comment

by:rbartz
ID: 10703289
khkremer,

Thanks, that does it...  except I really do not want to waste bandwidth sending a "Thanks for the virus" message back to some user who probably didn't send the thing in the first place.  I just won't use that section.

But the recipe you gave works well and sends a message notifying the recipient that an email to him was intercepted.  That is what I asked.  Well done.

Thanks again,

Richard
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10703405

It can be a good to sen a reply if the sender is as always a outlook infecting one the user dont always know he is infected and then can alert some one that can fix the problem before it does so much damage to mailservers/other users etc.

The bandwidth sending the mail is so low that you will never notice it anyway, if you get 1000 virus mailes every day the total amount of bandwidth is (125*1000)/(3600*24) = ca 1B/s

Add this to in the begining of the file to make a uniq loop field:
LOOPADDR=`formail -xTo:`

and change the field:
 echo "X-Loop: loop"; \
to:
echo "X-Loop: $LOOPADDR"; \


/Rob
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10708758
Richard,
the procmail rules were not from me. I told you about formai just added the X-Loop information.

Rob,
even though you may only have 1B/s, the problem is that most return addresses in virus emails are fake, so it's wasted bandwidth to even try to send these notifications to the (usually innocent) user who owns this email address.
I find these messages only annoying (I am absolutely sure that I don't send out any virus email, but still receive tons of these messages), and I'm probably not alone.
Also, using the 'formail -xTo:' may also be dangerous: It will extract the To: field from the email, which is not necessarily your address. If you are processing an email to a mailing list, the To: field usually contains the mailing list address, so it is possible that you are not using a unique X-Loop field. It's still best to use a real email address. I understand that if you are writing a system wide procmailrc file, this may not be possible, but there are ways to get the actual recipient address into your .procmailrc script (I just don't remember how :-( I've done this a while ago and have to check the procmail configuration on my system).
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 40

Expert Comment

by:jlevie
ID: 10708939
I realize that you have a "working system" an are hesitant make any substantive changes, but MailScanner allows choices for the actions relating to a virus or spam message and I chose to not send a bounce for either, simply because it won't work in most cases. And if one elects to bounce the message MailScanner uses the envelope Sender, not the From which is frequently forged, and do so in such a way as to avoid a bounce back to the MailScanner machine.
0
 
LVL 4

Author Comment

by:rbartz
ID: 10709835
Thanks Rob and jlevie,

I knew the formail way to get the To: and From:, but my mind was thinking in terms of deleting the body, and sending the message on, not in terms of a new message (DUHHH...).  And I wanted to retain the Virus info, which of course was easy too.  Just added:

:0
* ^X-Virus-Status: Yes
  { VIRUSREPORT=`formail -xX-Virus-Report:` }

Then used the $VIRUSREPORT in the text of the message.

SpamBouncer uses an ${ALTFROM} address that we set system wide as a junk catcher for complaints to ISPs and for bounces.  However, on all our accounts we have bounces and complaints turned OFF simply because of the amazing amount of MAIL-BOUNCES we got back.  Anyway, we use the ${ALTFROM} as the Loop Address, which should stop the thing from looping.

The To: address should work for this though, as the message is going to go out to that address anyway.  If it is not the correct address it is not coming back in anyway, right? so, NO LOOP...  May be better than the ALTFROM address...!

I tried a MailScanner install on our backup server, but the install failed for several reasons...  I installed SpamAssassin on same that server yesterday and forwarded about 50 spam emails to the one mail account there...  It scans the mail, no problem, but what scored easily as spam in SpamBouncer was no where near the default 5 score for SA.  Unless I set the score down to 2, it does not come close to Spambouncer for marking spam...  :-(

I would like a more ealily configurable set of scanners, but none seem to work as well as what we are doing.  I will HAVE to switch sooner or later I suppose, but I hate to do that when it works so well and when our clients are used to what we are doing.  :-)

Oh Rob, the ClamAV FAQ quote you gave above is for a specific situation where someone was complaining about a rogue message locking up his system, and the writer was simply  saying "Hey, then don't use ClamAV...".  However, ClamAV was written, in part at least, with mail scanning in mind, and has run without problems on our servers for months.... so well in fact that we didn't even install clamwatch when we upgraded servers in January.

Regards,

Richard
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10710256
What version of SpamAssassin?

Were you trying to use the RPM package or the tarball distribution for the MailScanner install? And what Linux disto/version was the server?
0
 
LVL 4

Author Comment

by:rbartz
ID: 10710463
jlevie,

The SpamAssassin is version 2.63.

I think that I was installing MailScanner from a RPM for i386.  That was on our old server last year which ran RH 5... it choked right away.  Now we run RH 7.2.

Richard
0
 
LVL 4

Author Comment

by:rbartz
ID: 10710640
jlevie,

Here are the headers for a random message scanned by both programs a few minutes ago.  The original message was to my oldest mail account (50-100 spams a day).  I forwarded it to our backup server mail account which has SpamAssassin installed for testing.  Default installation (CPAN) with spamc / spamd (config - SPAMDOPTIONS="-d -a -q -x -u spamd").

SpamBouncer:  
X-Originating-IP: 69.13.153.224
X-Virus-Scanning: ClamAV Scanned - OK
X-SpamBouncer: 2.0 beta (3/23/04)
X-SBRule: Joshua Baer
X-SBRule: Filter Evasion (Hashbusting) (Score: 0)
X-SBRule: Filter Evasion (Invisible Font Settings) (Score: 0)
X-SBScore: 23 (Spam Threshold: 20) (Block Threshold: 5)
X-SBClass: Spam
Subject: Spam: ( Accept Credit Cârds from Anywhere - coin)
Status:

SpamAssassin:
Importance: Normal
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
      xxxx.xxxxxxxxxxx.xxx (server name obscured...)
X-Spam-Status: No, hits=1.5 required=2.0 tests=AWL,HTML_MESSAGE,
      NORMAL_HTTP_TO_IP autolearn=no version=2.63
X-Spam-Level: *
Status:  

Obviously the two different programs found a significantly different results.  I am not comparing the raw scores (23 and 1.5) but the end result of marking or not marking.  I tried almost 50 pieces yesterday to see, and after 10 I reduced the score on SpamAssassin to 2 and started getting some mail marked SPAM.  However, the reuslts were still poor compared to SpamBouncer....

What do you think?

Richard

0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10711374
You have to teach you spamassasin what is spam and whats not.
I have found this usfull script on the net it helps you meke this procedure more automatic

# su - cyrus
cyrus@hostname:~> cyradm
cyradm> connect localhost
Password:
localhost> cm spammed
localhost> cm not-spammed
localhost> lam spammed anyone all
localhost> lam not-spammed anyone all
localhost> exit
cyrus@hostname:~> exit

This should create two mailboxes that are under the folder 'Shared Folders' when viewed with an IMAP client.

Then setup a cron job which runs a script like this -


------sa-learn.sh------------------------------

#!/bin/bash

# thanks to Holger Dunkel for basis of this script
# culled from the suse-slox-e@suse.com mailing list

# run sa-learn on spammed mailbox
#
spamdir=spammed
dir=/var/spool/imap/$spamdir
c=0
if [ -d $dir ];then
cd $dir && echo now in $dir
for i in *. ; do
if [ -f $i ]; then
cat $i | su - nobody -c "sa-learn --showdots --spam --single ";
echo $i, $c
# this removes emails from the shared folder
rm -v $i
let c++
fi
done
# as user cyrus reconstruct the maildir files
su - cyrus -c "reconstruct $spamdir"
echo "processed $c mails"
else
echo $dir not found
exit 1
fi

# run sa-learn on not-spammed mailbox
#
hamdir=not-spammed
dir=/var/spool/imap/$hamdir
c=0
if [ -d $dir ];then
cd $dir && echo now in $dir
for i in *. ; do
if [ -f $i ]; then
cat $i | su - nobody -c "sa-learn --showdots --ham --single ";
echo $i, $c
# this removes emails from the shared folder
rm -v $i
let c++
fi
done
# as user cyrus reconstruct the maildir files
su - cyrus -c "reconstruct $hamdir"
echo "processed $c mails"
else
echo $dir not found
exit 1
fi

# integrate learned stuff
#
su - nobody -c "sa-learn --rebuild"
0
 
LVL 4

Author Comment

by:rbartz
ID: 10711717
da99rmd,

First of all, thanks for the solution, somehow i thought it was khkremer.  I did give you the points, though...:-) Sorry for the mistake.

And thanks for the suggesions on training SpamAssassin.  However, all of our (400+) users are POP3 users, so their mailboxes are emptied when they get the mail...  

I suppose we would have to set up a spam mailbox that our clients could use to mail spam back into for training SpamAssassin, but I can only guess what we would be going through to get them to do that.  And really, they shouldn't have to be bothered.  

SpamAssassin probably needs to look at using the KNOWN pool of spam more efficiently, either by changing the scoring system to reflect current trends, or by making a pool of current spam messages available for "training".  That may even be a good suggestion...  the latest 5000 spam messages in a public read only folder somewhere that could be downloaded into a temporary folder and used to train SpamAssassin.  Sounds like a good idea to me!

Thanks again, all of you, for your advice and help, I am learning more all the time.

Regards.

Richard
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10711781

Np Richard,
was the points intended for khremer if is was so ill give him the points, just say the word.

Happy spam hunting

/Rob

 
0
 
LVL 4

Author Comment

by:rbartz
ID: 10711975
Rob,

No, you gave me the simple answer that lets my computer challenged clients be informed that their mail was scanned, a virus was found and deleted, and no further action is necessary.  You answered the question in a way I could use it, you get the points.  

I do appreciate all the others in any case.  This is the third question I have posed in the last couple of months, and I am very pleased with the support of the Experts-Exchange community.

Richard
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

In this tutorial I will explain how to make squid prevent malwares in five easy steps: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-…
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now