Sat Jan 31 2004, 6:10 AM
A simple program for classifying email bounces, executable code, and more or less anything. Written after MyDoom became the Microsoft® Worm-of-the-week™ and the users were flooded by bounced messages faked by the worm, the worm itself, and other shrapnels.
The code was written in a few hours, including analysis of the problem, in order to spoil my users who were complaining mightily about the worm outbreak and its collateral damage. It's quick and dirty and born from an immediate need. It's designed to pose a minimal load for the machine.
It's designed to work together with Garlic2 POP3 filter and an executable-file refusing patch on qmail-smtpd, as one more layer of protection.
Partially inspired by VirusBounceRules ruleset for SpamAssassin.
An email is fed to the program's stdin. A series of comparisons is done on the first 32k of the file (if a signature is present, it will be there), in order to save system resources.
In passthru mode the mail is piped through; if there is a match, a header is added, otherwise the mail is unchanged.
In classify mode the match value is output to stdout.
Takes a mail message on stdin, adds header if match found (when piped) or outputs the match to stdout.
Parameters:
| -p | passthru mode - pipes message to stdout, adds header if match |
| -c | classify mode (default) - outputs classification to stdout |
| -r | set result code to 1 if match found |
| -l | log match to syslog |
| -H <header> | sets header to add if match |
Specifically designed for use with procmail.
Sample entry follows: