Wed, 20 Aug 2003
Spamassassin Recipe to Help Stop Viruses
Here at work we host our own mail server on a Debian Linux box running qmail as the SMTP server, procmail and spamassassin for email filtering, and the courier IMAP which clients use to access their messages which reside on the server. This combination seems to work very well with the modest hardware on which it all runs - an AMD Athlon 800 with 256 MB RAM, and mirrored IDE hard drives.
However, beginning early yesterday afternoon, a few of the email address which are available for our domain (sales, support, techsupport) started to get bombarded with emails bearing malicious attachments of the .pif, .scr and .bat variety. Another Microsoft sponsored worm was on the loose and making life difficult for network admins everywhere...
Trying to be proactive and neutralize the problem, I whipped up a small spamassassin rule to flag emails with these types of attachments as spam. Spamassassin then "de-fangs" the attachments so that users still don't "accidentally" click on these files and cause more problems for the network. The rule which worked for me is as follows:
# Virus spamtrap full VIRUS_SUSPICIOUS_ATTACH /.*^Content-Transfer-Encoding: base64.*name=".+\.(bat|scr|pif)"/ism score VIRUS_SUSPICIOUS_ATTACH 50.0 describe VIRUS_SUSPICIOUS_ATTACH Contains a suspicious attachment - good chance it is a Windows32 virus
After over 24 hours of the rule being tested and applied, it seems to be working well. I hope this helps others out there dealing with the same issues that I am!
posted at: 13:59 | path: /computers | permanent link to this entry