Horrific spam/virus - fetchmail?
I've been getting more and more each day of this latest virus, each with a bonus attachement of about 140k. So far, 48 today - this is a mess on a 56k dial-up... I have fetchmail getting my mail from five different pop accounts. Is there a way to tell fetchmail to delete anything with exe attachments from the server without downloading them? Or another commandline tool that would do that? Something I can have in a script that would run before fetchmail? Deleting them from the servers manually (there is a webinterface, or using something like kshowmail), is not really an option - too much mail coming in per day, and this would (so far, thankfully) actually take more time online while the meter's running... Thanks Hans
On Wed, Sep 24, 2003 at 01:27:21AM +0200 or thereabouts, H du Plooy wrote:
I've been getting more and more each day of this latest virus, each with a bonus attachement of about 140k. So far, 48 today - this is a mess on a 56k dial-up...
I have fetchmail getting my mail from five different pop accounts. Is there a way to tell fetchmail to delete anything with exe attachments from the server without downloading them? Or another commandline tool that would do that? Something I can have in a script that would run before fetchmail?
Hi Hans, your wish is my command <g> Here is a perl script to remove these from your pop account before you download them.. http://www.perlmonks.org/index.pl?node_id=292982 -- Gary
On Wed, 2003-09-24 at 01:58, gary wrote:
Hi Hans,
your wish is my command <g>
Here is a perl script to remove these from your pop account before you download them..
http://www.perlmonks.org/index.pl?node_id=292982
-- Gary
Thank you Gary, this looks like what I've been looking for. I first checked fetchmail's options, and there's one that would let it not download messages over a certain size, but that would let me loose some legitimate mail. This looks like the right thing! I'll write back tomorrow this time after trying it. Thanks Hans
On Wed, Sep 24, 2003 at 02:49:12AM +0200 or thereabouts, H du Plooy wrote:
On Wed, 2003-09-24 at 01:58, gary wrote:
Here is a perl script to remove these from your pop account before you download them..
Thank you Gary, this looks like what I've been looking for. I first checked fetchmail's options, and there's one that would let it not download messages over a certain size, but that would let me loose some legitimate mail.
It looks really nice, although I have not tried it out, as these are blocked from my servers before they get in.
This looks like the right thing! I'll write back tomorrow this time after trying it.
Please do, I am curious as to its performance... Glad I was able to help out. Best regards, -- Gary Doing a job RIGHT the first time gets the job done. Doing the job WRONG fourteen times gives you job security.
The 03.09.24 at 01:27, H du Plooy wrote:
I've been getting more and more each day of this latest virus, each with a bonus attachement of about 140k. So far, 48 today - this is a mess on a 56k dial-up...
Been there... that is 8was) exactly my case.
See my previous comments on how to solve that, posted on this list during
the last month:
Date: Thu, 4 Sep 2003 01:51:24 +0200 (CEST)
From: Carlos E. R.
On Wed, 2003-09-24 at 02:10, Carlos E. R. wrote:
See my previous comments on how to solve that, posted on this list during the last month: -- Cheers, Carlos Robinson
Thanks Carlos. I did read the earlier ones, but, unless I don't understand them correctly, they bounce the mails _after_ they are downloaded. I don't want to have to download them at all. The perl script from Gary seems to be working (Thanks Gary!), or I just didn't get any of these mails in the last 15 or so hours :-) Thanks Hans
Hello Hans, Wednesday, September 24, 2003, 11:27:35 AM, you wrote: H> I did read the earlier ones, but, unless I don't understand them H> correctly, they bounce the mails _after_ they are downloaded. I don't H> want to have to download them at all. H> The perl script from Gary seems to be working (Thanks Gary!), or I just H> didn't get any of these mails in the last 15 or so hours :-) Sure, the virus blitz is over <g> Glad this script helped out, wish I wrote it... I saw some other reports where people have had great success with it, saving a lot of bandwidth for dialups.. -- Best regards, Gary
Well yes it does seam to have stopped. I got the first one 9.30am thurs and several an hour on average since then to last one at 2pm today. (so far) Can anyone explain why they should stop so suddenly? David On Wednesday 24 September 2003 6:02 pm, gv-dated-1064422650.epplimih@mygirlfriday.info wrote:
Sure, the virus blitz is over <g> Glad this script helped out, wish I wrote it... I saw some other reports where people have had great success with it, saving a lot of bandwidth for dialups..
The 03.09.24 at 22:46, david stevenson wrote:
Can anyone explain why they should stop so suddenly?
Probably when the "administrator" of the offending machine does his job :-) I found that a previous bunch of virus-spam came 90% from just two IPs: two cybercafes, one in Germany and the other in Chile, I think it was. So if the owner does what it should have done in the first place... or the ISP does, who knows. The present one, the pseudo patches for windows, I haven't looked at it. -- Cheers, Carlos Robinson
The 03.09.24 at 18:27, H du Plooy wrote:
I did read the earlier ones, but, unless I don't understand them correctly, they bounce the mails _after_ they are downloaded. I don't want to have to download them at all.
No, they are not downloaded. Fetchmail attempts to stop as soon as postfix tell it the mail is rejected, and that happens when it sees the ofending mime header. However, it doesn't seem to happen as fast as it should.
The perl script from Gary seems to be working (Thanks Gary!), or I just didn't get any of these mails in the last 15 or so hours :-)
That is also a nice idea, deleting them right on the server. As you have that script, configure also postfix to reject those headers (a second line of defense): some times they come so fast that after fetching a bunch of mail, there are more of them just three minutes later. And of course, the script has to examine the headers on the server, so it needs at least a partial download, anyway... -- Cheers, Carlos Robinson
On Thu, 2003-09-25 at 01:30, Carlos E. R. wrote:
No, they are not downloaded. Fetchmail attempts to stop as soon as postfix tell it the mail is rejected, and that happens when it sees the ofending mime header.
However, it doesn't seem to happen as fast as it should.
I thought that postfix only got to see the mail after fetchmail has downloaded it. OK, so let me see if I understand this correctly. Fetchmail starts downloading the message, and as it comes in it sends it on to postfix. Postfix sees this message is bad news and warns fetchmail. Fetchmail aborts. Is this correct? Now just one problem - I use sendmail. For some reason, since SuSE 8.2 refuses to drop the mail in my local mailbox. It happened on the first install, and on a re-install. No idea why, but I simply told yast2 to use sendmail instead, and now it works. Thanks again for your replies. I think the worst of this one is over - I only got about 8 of them today - but I'll figure out how to implement all the suggestions in sendmail for the next round... :-) Thank you! Hans
The 03.09.25 at 23:15, H du Plooy wrote:
I thought that postfix only got to see the mail after fetchmail has downloaded it. OK, so let me see if I understand this correctly. Fetchmail starts downloading the message, and as it comes in it sends it on to postfix. Postfix sees this message is bad news and warns fetchmail. Fetchmail aborts.
Is this correct?
Right :-) At least, that is the sequence I see in the logs - I always have the mail.debug log file enabled.
Now just one problem - I use sendmail. For some reason, since SuSE 8.2 refuses to drop the mail in my local mailbox. It happened on the first install, and on a re-install. No idea why, but I simply told yast2 to use sendmail instead, and now it works.
Er... you don't mean root mailbox? It will not work. It is documented on the postfix faq, that if you use postfix and procmail, postfix will be unable to deliver mail to "root", and instead will be delivered to "nobody". You have to setup a mail alias for "root" instead. It seems that root should not read his email, anyway, because root should not be working as root, anyway X-) -- no, the real reason is that postfix can not call procmail as user root, so that the procmail program can not read the configuration of "root", or even /etc/procmailrc. In short: if using postfix and procmail, do not use "/root/.procmailrc", nor "/etc/procmailrc". And set an email alias for root, to a local user that will read the root mail (ie, yourself). I know because it happened to me :-) -- Cheers, Carlos Robinson
On 10/01/2003 10:08 AM, Carlos E. R. wrote:
In short: if using postfix and procmail, do not use "/root/.procmailrc", nor "/etc/procmailrc". And set an email alias for root, to a local user that will read the root mail (ie, yourself).
I know because it happened to me :-)
My postfix/procmail reads /etc/procmailrc just fine. :-\ joe@jmorris:~> ls -l /etc/procmailrc -rw-r--r-- 1 root root 1215 2003-05-11 13:37 /etc/procmailrc I doubt it could read /root/.procmailrc though. That is how I have my system wide Spamassassin working. I do have a root alias for root's mail. Just FYI. ;-) -- Joe Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Web Address: http://www.mydestiny.net/~joe_morris Registered Linux user 231871 God said, I AM that I AM. I say, by the grace of God, I am what I am.
The 03.10.01 at 20:09, Joe Morris (NTM) wrote:
My postfix/procmail reads /etc/procmailrc just fine. :-\
I know that for some people it works; but it is contrary to the documented behaviour on the postfix faq. Perhaps you have the file world readable. -- Cheers, Carlos Robinson
On 10/08/2003 08:02 PM, Carlos E. R. wrote:
The 03.10.01 at 20:09, Joe Morris (NTM) wrote:
y postfix/procmail reads /etc/procmailrc just fine. :-\
I know that for some people it works; but it is contrary to the documented behaviour on the postfix faq. Perhaps you have the file world readable.
It is 644, which appears to be the default mask, as most of the files in /etc are the same. -- Joe Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Web Address: http://www.mydestiny.net/~joe_morris Registered Linux user 231871 God said, I AM that I AM. I say, by the grace of God, I am what I am.
* Joe Morris (NTM)
On 10/08/2003 08:02 PM, Carlos E. R. wrote:
The 03.10.01 at 20:09, Joe Morris (NTM) wrote:
y postfix/procmail reads /etc/procmailrc just fine. :-\
I know that for some people it works; but it is contrary to the documented behaviour on the postfix faq. Perhaps you have the file world readable.
It is 644, which appears to be the default mask, as most of the files /in etc are the same.
I don't even have an /etc/procmailrc file. Everything works from ~/procmailrc and a couple of include files. fetchmail --> postfix --> procmail note: single user with a separate kmail for my wife -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org
On Wed, 2003-10-01 at 04:08, Carlos E. R. wrote:
Now just one problem - I use sendmail. For some reason, since SuSE 8.2 refuses to drop the mail in my local mailbox. It happened on the first install, and on a re-install. No idea why, but I simply told yast2 to use sendmail instead, and now it works.
Er... you don't mean root mailbox? Nope, root doesn't receive any mail, except of course what the system itself send to root (I check every once in a while, but there's never anything important).
In short: if using postfix and procmail, do not use "/root/.procmailrc", nor "/etc/procmailrc". And set an email alias for root, to a local user that will read the root mail (ie, yourself). Thanks, I'll keep this in mind if I ever set up a system. where this might be necessary.
The good news is that it seems that my mail provider seems to have started filtering this virus out. That, or it's simply over. I've only received one since yesterday! Thanks for the replies Hans
participants (8)
-
Carlos E. R.
-
david stevenson
-
gary
-
gary
-
gv-dated-1064422650.epplimih@mygirlfriday.info
-
H du Plooy
-
Joe Morris (NTM)
-
Patrick Shanahan