For those on TAZ, SIX, NINE, SEVEN, ASTRO

----------
Edit Added By Deb
.
UPDATE SIX is no longer included in this list.
The upgrades on SIX have put the SIX Server in the "NEWER SERVER" Catagory.
Reference: http://www.aota.net/forums/showthread.php?s=&threadid=8802
----------

near as I can tell, the "bouncesaying" command mentioned in some other threads, such as this one:
http://www.aota.net/forums/showthread.php?s=&threadid=8332

is not available. (Apparently we have an older version of Qmail that doesn't have that command.)

However, there is a command called "condredirect"

This will allow you to redirect an e-mail to an alternate address under certain conditions. The .qmail file needs this command:
|condredirect newaddress program [ arg ... ]
where "newaddress" is the address you would like to redirect the mail to, and program is some program that you specify. What the program needs to do, is make some test to determine whether to redirect the mail or not. The program tells Qmail whether or not to redirect, based on the exit code that it gives.
(See the man page for condredirect here: http://www.qmail.org/man/man1/condredirect.html )

Anyhow, I wrote myself a Python script and tested this. If you would like to simply redirect mail to another address, based on the email address in the from field of the e-mail, you can do this:

Save the Python script below in your /big/dom/xdomain directory as redir.py. Make sure to transfer the file in ASCII format. 644 permissions are fine.

import sys
import rfc822

headers=rfc822.Message(sys.stdin, 0)
name, email = headers.getaddr("From")
if email == "spammer@baddomain.com":
sys.exit(0)
else:
sys.exit(1)


Change the e-mail address in quotes in the script above (i.e. "spammer@baddomain.com") to whatever the bad e-mail address is that you do not wish to receive mail from. Make sure to keep it in quotes.

Create a .qmail-username file in your /big/dom/xdomain directory and in that file put:


|condredirect newaddr@somedomain.com /usr/bin/env python /big/dom/xdomain/redir.py
|vdeliver


You need to replace newaddr@somedomain.com with the address that you would like the spam redirected to. (I suggest, if it is mail that you don't want, that you simply create a blackhole address as was suggested here:
http://www.aota.net/forums/showthread.php?s=&threadid=5215&highlight=%2Anull%2A+%2Adev%2A+%2Amail
And also change the directory so that the xdomain is replaced with the actual x-directory for your domain name.

Now, if e-mail gets sent to that username@yourdomain.com from spammer@baddomain.com it will be redirected to newaddr@somedomain.com

I have tested this out on my account on NINE. I would imagine that this should work the same for those on TAZ, SIX, SEVEN and ASTRO. For the newer servers, maybe you need to change that line in the .qmail file from
|vdeliver
to
|/usr/bin/vdeliver

I only suggest that, since that's the way several of Bruce's examples have looked, but I have no way of testing on those machines. So, I guess, try it yourself. By the way, the condredirect Qmail command should be available on all the servers.

OK, because in this post:
http://www.aota.net/forums/showthread.php?s=&postid=50454#post50454
Monty writes:

What I need to help me is a simple server level filter that allows multiple email addresses and even entire domains to be sent to a black hole and I won't come crying foul if it gets some it isn't supposed to. It would also have to be server friendly.

OK, I beefed up my previous sample in the message above.

Here is the newer, more powerful version of redir.py:

# list all the e-mail addresses in BadFromList that
# if they appear in the FROM field of the e-mail message
# you will want to redirect them. enclose each addy in quotes
# separate them with commas, and put an open bracket before the
# first one and a closing bracket after the last one.
# They can be on separate lines (as shown below) or one a single
# line (if the list is short)

BadFromList = ["spammy1@domain1.com",
"spammy2@domain2.com",
"spammy3@domain3.com"]

# For any domains from which you wish to redirect any and
# all mail that you receive from that domain, list them
# in the BadDomains list. Same as for BadFromList (separate
# with commas, enclose in quotes, etc...
# If you have no such domains, then replace with an empty set
# of brackets like this:
# BadDomains = []
BadDomains = ["hotmail.com", "spammer.net"]

import sys
import rfc822
import string

headers=rfc822.Message(sys.stdin, 0)
name, email = headers.getaddr("From")
userID, domain = tuple(string.split(email, '@'))
if email in BadFromList:
sys.exit(0)
elif domain in BadDomains:
sys.exit(0)
else:
sys.exit(1)


So, in your .qmail-username file, you put:

|condredirect blackholeaddy@yourdomain.com /usr/bin/env python /big/dom/xdomain/redir.py
|vdeliver

Or possibly that last line above should be
|/usr/bin/vdeliver
(see comments in previous post above...also see link above on how to create a black hold address...)

Then all the mail sent to username@yourdomain.com from
spammy1@domain1.com, spammy2@domain2.com and spammy3@domain3.com
will all be redirected to blackholeaddy@yourdomain.com
As will any mail from hotmail.com and spammer.net (as the script is shown above...obviously modify those lines if you still want to receive e-mail from people who use hotmail.com and spammer.net).

Obviously USE AT YOUR OWN RISK. I've tested this on my account on NINE and it is a straight-forward script. I don't foresee anything going wrong.

If you don't want to risk deleting mail that you might actually want, get a free e-mail account somewhere like hotmail or yahoo, and redirect the e-mail there (instead of to a black hole), and you can always go there, look at the message subject/to/from and decide whether you want to delete the mail or not. (The "select all"/"delete" option on some of those web interfaces is nice! ;) )

If anyone uses this and finds it useful, let me know! Likewise, if you try to use it, and have a problem and need some help, give me a shout.

Note: It would probably be better to bounce the messages than simply delete them. At least the system sending you the mail would get them all back, and maybe the sysadmin there would do something about it, in that case. Until Qmail is upgraded on the older systems, though, and the "bouncesaying" command is available, this is probably the simplest thing to do...simply deleting the messages silently.

Thank you Sheila!!

I just installed this on SEVEN and want to add a few more hints.

The name of the redirect file is redir.py (nothing after the py)

In the .qmail-username file, the domain name has to be your primary domain, even if the mail is coming to an IRM account. The ending of that file that worked on SEVEN is

|vdeliver

To get CUTE FTP 4.0 to properly upload these files, I used a .txt ending and once they were on the server, renamed them w/o the .txt ending.

Thanks a whole bunch, Sheila, my life just got a lot easier due to your efforts. As of this morning, I have gotten 2 more of the Sircam emails, and now have an effective way to blackhole them.

This afternoon, I will be installing your script on Phoenix, and will post the settings that work there.

Mont

You're welcome! Cool. Glad this helps you out. :D

Sheila,

The setup on Phoenix worked with the |vdeliver ending line, just fine.

Thanks again, I just got 12 megs of this virus, and with any luck can start knocking it down in style along with register.com and a few dozen other blatent spammers.

Mont

mE

Wow. Thats cool! :cool:

I would guess not knowing Python but knowing some coding, that if one wanted to create a White List method instead of a Black List, you just put the people you want to receive email from in the list and then reverse the conditions. . .. ?

Thanks.

David

OK, I admit, I'm stupid. And slow, too. As I see it, the solution offered by Sheila could be achieved by using Outlook's filters as well (and I suppose other e-mail programs have similar features, too). Why do we need a server-level solution here? Just curious. And what do I need to change in this code if I want to use it to trap this latest disease, the Sircam virus (worm?). Because I can't get my Outlook to delete it from the server (yes, I ticked the box to delete anything that has "I send you this file in order to have your advice" in the message body). Downloaded the latest definitions for Norton AV - doesn't detect them (OK, I don't really want detection - I can more or less reacognise them by now). Could this be the reason for using a server-level solution for the problem above - that Outlook's filters sometimes fail?

I only dared to ask these questions because I read somewhere that the only stupid question is the one unasked ...

Elek

Elek my not so knowledgeable reply would be that why not delete it from the server before you ever bother downloading it from the server in the first place? Some people are saying that its taking up megabytes of thier disk space so then you save not only diskspace but download time as well.

The thing is though in order to search subject lines as well if the spammer is not in the address list then you would need to add additional code to search for keywords in the subject line. And thats a good idea considering that with this virus the subject line changes a lot. I wonder if the code could be modified to search for the title of the attachment which may stay the same if the subject changes?


David

David,

Thanks for your input. No, I wouldn't want to download spam (or viruses, for that matter), so I have my filters set to "delete from server" for a number of e-mail addresses and subject lines.

In the case of the Sircam virus, you can't set the sender e-mail addresses, subject lines or attachment file names to be deleted, because they are always different. The only unchanged pattern is the text contained in the message ("I send you this file in order to have your advice" etc.).

I've just seen this solution on the Burst! messageboard, but I don't know if it works on FQ servers or how to use it. It says I should add the following lines to my .procmailrc file:

:0 B
* ^I.send.you.this.file.in.order.to.have.your.advice
{
LOG="Ex/Pt "
:0
/dev/null
}

Does this look like a solution to those who understand what it means?

Elek

Elek,

Since SirCam is so good at getting into folks address books, and since I have personally gotten as many as 8 emails from the same person that got it, I wanted to get it off the server and not deal with downloading it. First, it was taking up storage space, second, I am on a dialup and it took a long time to download, and finally, any time I was downloading it, my computer was very prone to lockups.

Sheila's filter takes any domain or email address and dumps mail from it into a black hole or forwards it to any other email address, before you ever download it. I dumped mine into a black hole and am done with it. It does require a bit of skill to set up, but definately does do the trick, at least for me. I spent the last 7 days dealing with this mess, and today is the first day in a week I have been rid of it.

If you post the domain you are wanting to install it on (has to be on FQ), what email address you want the spam sent to, and what address you want to block, I or someone else can post the exact coding you will need.

Mont

Monty,

Thanks for your offer to help. I know how serious this problem is - I've been getting over 30 copies of the d**** thing every day for the past week, and one attachment was over 1 meg in size, and I'm on dialup too! (I was promised my ADSL by the end of this month - no news yet!) But if you set messages from the offending addresses "delete from server" in Outlook, I think it will achieve the same result - no downloading. Two problems: A) you will get the same virus from all the other addresses out there in the world, and B) these guys have you in their address books for a reason - maybe they will want to contact you with legitimate things in the future, which you'll miss. Does anybody know that if you reply to these messages with a brief warning that they are infected they will get the reply? I'm pretty sure 99% of the people spreading the virus are innocent and should be notified of the problem.

Elek

I've seen it reported elsewhere, and in my experience, that SirCam uses
a lower case 'd' in the "Date: " header string.
I'm not sure if this makes it out of "compliance", but it is out of "ordinary">

Another reported pattern match is
Content-Type: multipart.*"----[A-F0-9]+_Outlook_Express_message_boundary"

-Maynard

Elek, try this out http://www.aota.net/Email/ScanMail.php3 and see if it helps. I am going to download it right now and see if it does what it says. To your question of server and other filters, yes, I think you are going to miss some email. Personally, until this #$%^## thing blows over, I am perfectly willing to take that risk. I may back some of my filters off, at a later date, but for now, NO way. Terra has been kind enough to let site owners use server based filters, and while FQ cannot openly support what I and others have done, they have also not restricted us either.

Mont

----is a good knife sharp, or a sharp knife a danger? It depends upon the user, I think...:) Filters have become the sharpest knife I know in the last week's war on this mess.

Hi Monty, Elek and everyone.

I sure hope you all won't shoot the bearer of bad news but according to some articles I have read today, many experts expect this to level off some this weekend.

However they expect an upsurge in activity again starting Monday :(
http://dailynews.yahoo.com/h/cn/20010727/tc/sircam_worm_built_to_last_1.html

I can tell you that almost 50% of my day, today and yesterday, in the service desk as been devoted to dealing with related issues, and this bugger is really worldwide and wrecking havoc for many people/businesses.

I would highly recommend downloading POP3 Scan Mail box as it has worked for many since Terra found it and we posted the tutorial. I had occasion to use it myself last week as my wife's computer got hung up downloading an email with a virus in it.
http://www.aota.net/Email/ScanMail.php3

The best of luck to everyone,
Bob

- This has gotten past the joke stage, that's for sure -

I am gonna eat some crow here and go on the record as saying that download is worth the time in this WAR!

Here is how it worked for me.

I went to download, and it initially indicated 48 minutes time. I am at home on a 28,800 phone line hookup, with an old 233 workhorse. I simply sighed this time, and said "Oh well". Shorty afterwards, the estimated time went steadily down, and the dowload is maybe 15 minutes. That might have happened when I tried it from my good hookup at the office, but that day I was enraged by all this and 45 mintues was not an option.

Installation, is a breeze. I didn't have to download the .dll file from Microsoft.

Setup is hard. I found it easier to set up my ISP POP box, than my FQ box, but I did manage to get both to work. I don't think this is a security risk to reveal, but if is PLEASE edit this, Bob.

FQ settings that worked for the "classic servers" (like that Deb?)

pop.outdoorsshow.com

xoutdoorsshow-monty (IRM accounts, use main accout info!)

and then I entered my password (CaSe sensitive!!)

At no point did I ever have to enter the actual email of monty@2coolfishing.com (an IRM mailbox of outdoorsshow.com)

The button that looks like a thunderbolt hooks you up, and the button that looks like glasses lets you see the message.

After that, it gets pretty easy. Red buttons delete this mess.

I am still taking the spammer's email address, and putting it into the filter.

My reasoning is that I would rather not get email from them again. EVER.

That being said, this is another very good tool, try it out.

If you are to the level as webmaster of ever having installed your own script, try Sheila's filter and become your own boss at server level email filtering. I have been working with PERL scripts for about 2 years, and installed it in about an hour or so.

Mont

......from thinking internet was greek to knowing I only know a tiny bit, all in only 2 years and 12 million keystrokes. hmmm ;)

Edited..

From Bob's Link:

An added twist with SirCam is that it sends a randomly chosen file from the infected computer's hard drive, potentially sending confidential business data or embarrassing personal information along with itself. The e-mail subject line matches the name of the file being sent

The social engineering in this one, had me to the point of boiling. The size of the attached file will/can be the max size of attachments that ISP's allow. I got 12 megs worth in 2 hours. Unbelievable.

end edit.

I would guess not knowing Python but knowing some coding, that if one wanted to create a White List method instead of a Black List, you just put the people you want to receive email from in the list and then reverse the conditions. . ..
Well, sort of, I guess. I'm not sure what you want to achieve, but something like that is certainly possible.

The key to the redirect command from Qmail is this:
If the program exits with a zero code, then it WILL redirect to the newaddress. If the program exits with certain codes, it indicates errors (either hard errors, soft errors, or retry), and other than that, it will not redirect.

So, I set it to exit with a code of one for the not re-direct option. (I figure this is a safe code for that case.)

Essentially, it is possible to scan the email for either Black list or white list, to scan on any of the message headers (Subject, To, From, etc...) and even (if desired) to scan the message body for certain strings.

I've offered before to help with Python scripts, and the offer still stands. I personally use a Python script with black lists and white lists on my own site, but it's quite a bit more complicated than the one I posted here. I think that I am the official FQ Python Cheerleader, though, and I will be very glad to support anyone in working with this type of stuff.

Elek writes:

I've just seen this solution on the Burst! messageboard, but I don't know if it works on FQ servers or how to use it. It says I should add the following lines to my .procmailrc file:

:0 B
* ^I.send.you.this.file.in.order.to.have.your.advice
{
LOG="Ex/Pt "
:0
/dev/null
}
If anyone here at FQ has figured out how to use Procmail on these servers, please SPEAK UP! (Up to this point, I've not seen anyone admit it publicly, although it has certainly been discussed before and assistance requested.)

If you want to specifically search the message body for that particular string:
"I send you this file in order to have your advice"

I could show a variation on the script that will catch messages that have that string in it (specifically for the SirCAM virus). Later tonight I'll post something about that. (It's only 5:45 pm here in Calif. ..gotta take my little one to the park right now...)

Sheila, the SirCam variation and whitelist (read secure line in my book) scripts would be great. I am heading offshore at sunrise, but if you wish to post them, I would like to try them out on Monday. Your last one has been a big hit within my circles, and saved us all a lot of grief. Thanks again for such a nice gift.

Take time with your child, one of mine likes fishing, and one likes horses. They sure grow up fast.

Mont

OK, here is a Python script that checks only for the SirCAM virus and nothing else:


lines = ["I send you this file in order to have your advice",
"I hope you like the file that I sendo you",
"This is the file with the information that you ask for",
"I hope you can help me with this file that I send",
"Te mando este archivo para que me des tu punto de vista",
"Este es el archivo con la informacion que me pediste",
"Espero te guste este archivo que te mando",
"Espero me puedas ayudar con el archivo que te mando"]

import sys
import rfc822
import string

headers = rfc822.Message(sys.stdin, 0)
bodyStart = sys.stdin.read(2000)
for line in lines:
if string.find(bodyStart, line) > -1:
sys.exit(0)
sys.exit(1)


How it works:
This list of lines at the top of the script (8 of them) are the possible second lines of text in the message body preceding the file attachment (according to this website:
http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=TROJ_SIRCAM.A&VSect=T )

What this script does, is read in the message headers (but it ignores them, since the virus will have different To:, From:, and Subject: fields almost every time), and then it reads in only the first 2000 bytes of the message body.

After reading in the beginning of the message body, it then checks for each of the eight possible second lines, whether that line occurs in the message's beginning. If yes, it exits with a code of zero.

If none of the eight lines are found in the message body, it exits with a code of one.

How you can install and use it
You need to use a .qmail file, as discussed earlier in this thread, and in several of the related threads on this recent topic.

You have a choice, if you are not on TAZ, SIX, NINE, SEVEN or ASTRO of using either the Qmail condredirect or the Qmail bouncesaying commands. (Those on the servers mentioned above only have choice of condredirect until the server upgrades put the new Qmail version in place. For SIX that will be very soon!)

condredirect will redirect certain messages to a new email address.
bouncesaying will bounce the message.

So, save the script at the beginning of this message as sircamscan.py in your /big/dom/xdomain directory (make sure to upload it in ASCII text mode!). You can save it with 644 permissions. That should be fine.

Then, create a .qmail file. If you want to do bouncesaying, do something like this:


|bouncesaying "SirCAM virus rejected" /usr/bin/env python /big/dom/xdomain/sircamscan.py
|vdeliver

Qmail docs on the bouncesaying command are here:
http://qmail.org/man/man1/bouncesaying.html

Personally, I think that bouncing the message back is the best action, since the mail author or the system admin of the sending system will then recognize there is a problem and hopefully deal with it. But, we don't all have that option at this time.

So, if you want to do the condredirect, create a .qmail file that has this:


|condredirect newaddy@yourdomain.com /usr/bin/env python /big/dom/xdomain/sircamscan.py
|vdeliver

This will redirect the message to newaddy@yourdomain.com. As suggested earlier, you can simply create a black hold addy for that purpose and the messages will be silently deleted.

Qmail docs on condredirect are here:
http://qmail.org/man/man1/condredirect.html

I tested this on my account on NINE (using condredirect only). Assuming the info from that Virus webpage about this SirCAM worm is correct, this does catch messages that contain those lines near the beginning of the message body. All other mails should pass through.

You can have multiple condredirect and bouncesaying lines in your .qmail file.

Hope this helps. :)

Hey, glad I wrote this script. I just put it up on all my .qmail files. (I have about a dozen...some redirect mail to other people, like my two older children's accounts and so on.)

Would you believe, that even though I wrote it, I hadn't put it on my own site, because I hadn't really received very many copies of this virus. But I got another one of these sircam spams this morning (It seems to be on the rise). So this morning I put the script filter on my main account's .qmail file. But just a few minutes ago, I received one from a student that I taught four years ago (redirects to a different e-mail address of mine). This former student is currently a sophomore at UCLA. Well, that just set off the alarms! I can see me starting to get dozens and dozens from former students. Yikes! I'm afraid that the prediction that Monday is going to be just horrible in terms of this virus, is probably true. I've now filtered all my .qmail files, and don't expect to see this baby again!

OK, here is the version of the script that I'm running on my site.

I don't feel real good about black-holing mail and not sending any kind of bounce message or notice to the sender. So, I wrote a variation on my last script, that sends a notice to the person who sent you a virus (advising them of their problem and what to do about it), and e-mails me a notice (so that I know I'm still getting this stuff), and THEN black holes the message. (Since I'm using condredirect as opposed to bouncesaying from the Qmail commands.)

I make it available here, in case anyone else is interested.

Note: a line that begins with the symbol # is a comment, which the computer ignores. It is for people to write remarks to other people.
For you to use the script, requires editting domains and/or email addys in about five places.




lines = ["I send you this file in order to have your advice",
"I hope you like the file that I sendo you",
"This is the file with the information that you ask for",
"I hope you can help me with this file that I send",
"Te mando este archivo para que me des tu punto de vista",
"Este es el archivo con la informacion que me pediste",
"Espero te guste este archivo que te mando",
"Espero me puedas ayudar con el archivo que te mando"]

import sys, os
import rfc822, smtplib
import string
from time import strftime, gmtime, time, localtime, asctime

datestamp= strftime("%a, %d %b %Y %H:%M:%S", gmtime(time()))+" -0000"

# this sendNotification function emails a notice to the person who
# sent you the virus infected message, letting them know that they
# are infected and what to do about it.
# edit the From: field replacing you@yourdomain.com with a valid
# email address of your own, which you feel OK distributing to
# the public. Note: bounced and error message will never reach
# you since the SMTP From address is set to a black hole.
# You can change the notice content if you desire. Put your own
# sig at the bottom.
# don't change any of smtp settings
def sendNotification(From, To, OrigTo, headers, bodyStart):
notice = """\
To: %s
From: you@yourdomain.com
Subject: SirCam Virus Notice
Date: %s

Your computer is infected with the SirCam virus.
This is an automatic notification that has been triggered to
alert you to this situation. It was triggered as a result of your
computer sending a virus infected message to %s.

For more details about this virus, try these links:
http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=TROJ_SIRCAM.A
http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=TROJ_SIRCAM.A&VSect=T

You need to disinfect your computer. Contact the maker of your antivirus
software or your ISP for assistance.

If you are using Microsoft Outlook or MicroSoft Outlook Express as your
mail reader, learn how to set the security settings so that it is not
susceptible to virus attacks. Alternatively, get a "real" mail reader.
Here are some suggested mail readers:
http://www.ritlabs.com/the_bat/
http://www.pocomail.com/
http://www.forteinc.com/agent/index.htm
http://www.pmail.com/overviews/ovw_winpmail.htm

A portion of the original e-mail follows.

signed,
Me

--------------(original mail)-----------------------
%s

%s
""" % ( To, datestamp, OrigTo, string.join(headers.headers,""), bodyStart)
server = smtplib.SMTP("localhost")
server.sendmail(From, To, notice)
server.quit()

# the webHostNotification sends you a little e-mail notice to you
# that a sircam virus message was received. It includes a small portion
# of the beginning of the message, so you can see who is sending you
# this stuff. You do not need to change anything here
def webHostNotification(From, To, OrigTo, headers, bodyStart):
alert = """\
To: %s
From: %s
Subject: SirCam Virus Alert
Date: %s

Another SirCam virus message was received.

It was trapped and an auto notice was mailed to the sender.
The SMTP Envelope Recipient was %s.

Here is the beginning of the original message:

%s

%s

""" % (To, From, datestamp, OrigTo, string.join(headers.headers, ""), bodyStart)
server = smtplib.SMTP("localhost")
server.sendmail(From, To, alert)
server.quit()

headers = rfc822.Message(sys.stdin, 0)
bodyStart = sys.stdin.read(1024)

for line in lines:
if string.find(bodyStart, line) > -1:
OrigRcpt = os.environ['RECIPIENT']

# on the line below, replace 'domain' with your domain
# xdomain- should be your VMIP. If your server doesn't
# use this, never mind.
OrigTo = string.replace(OrigRcpt, "xdomain-", "")
OrigSender = os.environ['SENDER']

# NewSender should be a black hole address. It is for
# setting the SMTP envelope "from" field, so that all
# bounce/error messages resulting from sending a notice
# to the virus spreader do not reach you
NewSender = "devnull@yourdomain.com"
sendNotification(NewSender, OrigSender, OrigTo, headers, bodyStart)

# modify the two email addresses below
# sircamAlert@yourdomain.com is the From address in the notict to you
# youremail@yourdomain.com is the address that you want the alert mailed to
# if you do not want to receive alerts, comment out the two lines below
webHostNotification("sircamAlert@yourdomain.com", "youremail@yourdomain.com", \
OrigTo, headers, bodyStart)
sys.exit(0)
sys.exit(1)

If you are using Microsoft Outlook or MicroSoft Outlook Express as your mail reader, learn how to set the security settings so that it is not susceptible to virus attacks. Alternatively, get a "real" mail reader.


LOL Sheila :)

-Bob

Originally posted by Bob:


LOL Sheila :)


Yeah, well I'm opinionated, and most of my friends know that I say what I think.

Hi again Sheila,

Ohhh Don't get me wrong, the Last email client I would ever use would be anything named Outlook !

Anyone using Outlook, IMHO Disclaimer: Not an Official FutureQuest position is asking for BIG TROUBLE

That was one of those Loving Laughs :)

-Bob

Sheila,

Thanks a lot for the script! As I'm not very good at installing scripts, I decided to use the first version you offered, which simply bounces back the suspicious e-mail with the message "SirCAM virus rejected". I'm on SIX, and it seems to work (I waited till the upgrade, just to make sure). Just one question: the script doesn't seem to check for attachments. What happens if I get a message, say, from a discussion list I'm subscribed to, beginning: "Hey, guys, if you get anything starting with >>I send you this file in order to have your advice<< delete it immediately.", with no attachments, of course. Will it send back my error message to the whole list? Or does it depend on the setup of that particular list server? Or if it is just a single message from a friend, with the same content as above - I suppose it will bounce it mercilessly, no matter what. Or should I just change the rejection message to something like "Don't send me anything starting with those words or I won't read it"?

Thanks,

Elek

After thinking about it a while and performing some tests (sending messages to myself from other accounts) it seems the answer to all my questions above is "yes".

-----------

Hey, Elek, it was nice talking to you. Good to see you can sort out your problems on your own. Think before you write next time, will you?

Originally posted by Elek:

Thanks a lot for the script! As I'm not very good at installing scripts, I decided to use the first version you offered, which simply bounces back the suspicious e-mail with the message "SirCAM virus rejected". I'm on SIX, and it seems to work (I waited till the upgrade, just to make sure).
Good. I'm glad to hear that the "bouncesaying" is working on the newly upgraded SIX. (I sent someone email instructions on how to use it on SIX, and that's why I'm glad to hear that it is working.)


Just one question: the script doesn't seem to check for attachments. What happens if I get a message, say, from a discussion list I'm subscribed to, beginning: "Hey, guys, if you get anything starting with >>I send you this file in order to have your advice<< delete it immediately.", with no attachments, of course. Will it send back my error message to the whole list? Or does it depend on the setup of that particular list server? Or if it is just a single message from a friend, with the same content as above - I suppose it will bounce it mercilessly, no matter what. Or should I just change the rejection message to something like "Don't send me anything starting with those words or I won't read it"?

You're correct that that simple script does not check for any attachments. And you are also correct, that any e-mail starting with one of those lines will generate an error message, as you describe. However, it does have to exactly match one of the sentences, as reported on that anti-virus website. Quite frankly, that is very awkward sounding English, and I can't imagine too many people phrasing it exactly that way. But, false positives are possible, yes.

Will the error message go to the listserv? It does depend on the set up for that particular list serve. Yes, it will, as you say, "bounce mercilessly, no matter what".

I don't want to advise you on how to change the rejection message. I think that is up to you. However, I will say this:

If you are very concerned about false positives, and if you use the condredirect instead of the "bouncesaying" command, with the latest script (more complicated one) that I posted, at least you will be notified when there is a rejection notice sent, and you will see the beginning part of the message, also. So, you could then intercede and contact the person by mail.

As far as checking for file attachments and so forth...

It would be possible to modify the script to do that. I just put up something that is quick, and seemed to me unlikely (although possible) to generate false positives. I want to be careful here and not offer lots of custom mods. I can point people to the Python Docs (http://www.python.org/doc/versions.html) , or I'd be willing to contract out for special mods. If someone wants to hire me to do custom mail filtering, that is certainly a possibility. In that case, I would have to put in a lot more time, and check everything very carefully to make sure that the script would do exactly what you want.

Of course, I'm happy to help someone learn Python programming any time, for free (I am a member of the Python Tutor mailing list, etc..) and then you would be able to do this stuff for yourself.

P.S. after previewing this message, I see that you already tested for your own answers, but I've already composed this, so now I'm going to post it anyway...

Originally posted by Elek:
Just one question: the script doesn't seem to check for attachments. What happens if I get a message, say, from a discussion list I'm subscribed to, beginning: "Hey, guys, if you get anything starting with >>I send you this file in order to have your advice<< delete it immediately.", with no attachments, of course. Will it
...<rest snipped>...
I just wanted to add a comment on this.

The reason I picked this particular solution method, is because the procmail recipe that you posted here:
http://www.aota.net/forums/showthread.php?s=&postid=50537#post50537

which says:

:0 B
* ^I.send.you.this.file.in.order.to.have.your.advice
{
LOG="Ex/Pt "
:0
/dev/null
}

As I read it, that's all this recipe does, too. Looks for a line that begins with "I send you this file in order to have your advice". I'm not a procmail expert, so I'm not sure what the LOG="Ex/Pt" does, but then it apparently deletes the message.

Originally posted by sheila:

Quite frankly, that is very awkward sounding English, and I can't imagine too many people phrasing it exactly that way.

Perhaps the response message should say "All your SirCAM virus are belong to us."

you can simply create a black hold addy for that purpose and the messages will be silently deleted.

Thanks for all those scripts, it's very useful to defend SirCam virus.
Sorry for ask ing this simply question, how do I create a black hole address?

Originally posted by jwlai:

Thanks for all those scripts, it's very useful to defend SirCam virus.
Sorry for ask ing this simply question, how do I create a black hole address?
Refer to this thread to create a black-hole addy:
http://www.aota.net/forums/showthread.php?s=&threadid=5215&highlight=%2Anull%2A+%2Adev%2A+%2Amail

Sheila,

Thanks a lot!
Now this is a perfect tool to keep SirCam away from my inbox.

Originally posted by jwlai:

Thanks a lot!
Now this is a perfect tool to keep SirCam away from my inbox. :stardanc:

Cool. :cool:

Sheila:
I just installed the sirCAM scanner you built on various HisMobile.com and HerMobile.com addresses and it works like a charm. I'm on QBERT and using the condredirect version. If I didn't know any better, I'd say you bleed electrons when cut and can crank out code like rappers crank out rhyme.

Well Done!8} :] :agree:

Wow. I can't believe people are still dealing with this thing. I've been thinking about taking the sircam filter down off of my site. I haven't received one in days.

Glad it did the trick for you. Seriously...it is an extremely simple little script.

:D