in reply to Re: Re: •Re: OT: Well now a worm spreader!
in thread OT: Well now a worm spreader!

At the risk of being totally off-topic, but hey, there must be more than one sysadmin in the audience using Postfix as an MTA...

I have a regex that looks for antivirus spew in order to reject it. Someone had collected a large list of subject headers received from antivirus malware and posted it to the Postfix mailing list. Rather than bog down my server with a check against each subject, I used Perl to build one regex to match them all (and in the darkness bind them :)

If your postfix installation was compiled with the pcre library, you can use the following:

/^(        filename="VIRUS_DETECTED_AND_REMOVED_|Subject:(?: (?:.*-Dan
+ger : Virus Trouvé|A(?:TENCION\. Usted ha enviado un mail posiblement
+e infectado|ntigen found FILE FILTER=|ttachment removed|viso de corre
+o\.universia\.net - Virus encontrado)|D(?:etecté Virus - Sujet :|isal
+lowed attachment type)|I(?:llegal attachment type found in sent messa
+ge|n(?:cidencia de virus|terScan NT Alert|valid content in mail messa
+ge \(message rejected\)))|MDaemon (?:Notification -- Attachment Remov
+ed|Warning - Virus Found)|N(?:AV detected a virus in a document you a
+uthored|OTIFICATION: Virus stopped|ie dostarczono poczty e-mail|orton
+ AntiVirus detected and quarantined a virus in a message yo)|Possible
+ Virus Found in E-Mail|Returned (?:due to virus; was:|mail: Possible 
+Virus Infection)|S(?:canMail Message: To Sender, virus found and acti
+on taken\.|kynet Mail Protection scan results|ymantec (?:AVF detected
+ a(?: repairable\/quarantined virus in a message you sent|n unrepaira
+ble virus in a message you sent)|Mail Security detected that you sent
+ a message containing an executable file\.))|T(?:ipo de archivo adjun
+to no permitido encontrado en el mensaje enviado|rovato virus nel mes
+saggio)|U(?:nsolicited commercial email rejected|waga: Wykryto wirusa
+ w poczcie)|V(?:IRUS (?:IN YOUR MAIL TO|NO SEU EMAIL !!!|RE:|VE VASI 
+ZPRAVE pro|\(W32\/Mydoom@MM\) IN MAIL FROM YOU)|irus(?: (?:Detected b
+y Network Associates, Inc\. Webshield SMTP|Infection Alert!|Warning|f
+ound in (?:message (?:\(quarantined\)|from you|to you!)|your message 
+Mail Transaction Failed)|in(?:cident|fection notice)|no seu email)|fe
+rtozesi ertesites|veszely! Virus warning!))|W(?: (?:Twojej wiadomosci
+ znaleziono wirusa! \/ Virus found in your message!|wiadomosci wyslan
+ej przez Ciebie wykryto WIRUSA)|ARNING: (?:The message contains a vir
+us!|YOU MAY HAVE A VIRUS)|IRUS (?:W TWOJEJE POCZCIE|w Twoim mailu !)|
+arning(?: Possible Virus Alert !!!|: antivirus system repor)|ykryto w
+irusa w Twoim mailu!:)|Your mail server sent us a virus|\(Virus\?\)|\
+[MailServer Notification\]To Sender virus found and action taken\.|\{
+Virus!\}|virus (?:alert|trovato in un messaggio inviato))|  Returned 
+due to virus; was:))/ REJECT antivirus pollution is not wanted here: 
+haven't you heard that viruses forge e-mail addresses?

[download]

Note: the above is senstitive to spaces. Make sure you "download code" rather than a simple cut'n'paste.

I've put the RE in a <readmore>, something I never do as a rule in a reply, but it occurs to me that if for people who have long line code wrapping turned off it will make the page rather... wide.

In any case, it's been weeks since we have been bothered by the antics of antivirus software.

  • Comment on Re:x4 OT: Well now a worm spreader! (postfix header check for virus spew)
  • Download Code

Replies are listed 'Best First'.
Re: Re:x4 OT: Well now a worm spreader! (postfix header check for virus spew)
by flyingmoose (Priest) on Feb 26, 2004 at 01:14 UTC
    Man, you should have used the /x switch, grinder! </troll> </lame-slashdot-emulation>
[reply]

In Section Meditations