Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
Re: [suse-security] unwanted virus infected email spam
  • From: Rainer Link <link@xxxxxxx>
  • Date: Wed, 18 Jul 2001 16:17:04 +0200 (CEST)
  • Message-id: <Pine.LNX.4.33.0107181558590.3971-100000@xxxxxxxxxxxx>
On Wed, 18 Jul 2001 michael.ryan@xxxxxxxx wrote:

> I did try adding a REJECT rule for hahaha@xxxxxxxxxxx to /etc/mail/access -
> this seemed to work for a week or two but the problem has since returned.
> Any ideas as to what I might try next as this kind of mindless activity
> really does my head in ...

I doubt this works. IIRC the Hybris worm uses an empty envelope address
(MAIL FROM: <>) and /etc/mail/access matches envelope addresses only (and
not the From: line in the message itself). But blocking mails with empty
MAIL FROM violates RFC 1123.

This is/was discussed again and again in comp.mail.sendmail, please
read through
http://groups.google.com/groups?q=sexyfun.net&safe=off&btnG=Google+Search&meta=site%3Dgroups%26group%3Dcomp.mail.sendmail

You may write your own sendmail milter (sendmail shipped on SuSE 7.2 comes
with libmilter support) which checks if From: matches, after the
complete header of the mail has been transfered (the xxfi_eoh callback)
and then discards the message by simply returning SMFIS_REJECT or
SMFIS_DISCARD. (no I haven't tried that myself yet)

best regards,
Rainer Link

--
Rainer Link | SuSE - The Linux Experts
link@xxxxxxx | Developer of A Mail Virus Scanner (amavis.org)
www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org)


< Previous Next >
References