/*ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ºFilter script º º º º Author : John Bijnens (John.Bijnens at celkunststoffen.khlim.be) º º Bas.Heijermans (bas at heppen.be) º º Started : 11 April 2002 º º Last revised : 04 August 2003 dave.saville@ntlworld.com º Updated for weasel 1.645 filter changes º º ºPurpose : º º Scan incoming emails for virusses by using Norman Virus Control. º º If there is a virus in the incoming email the email can be rejected º º by the server and the following message is given back to the º º originating server º º 554 Mail rejected by server because of a detected virus º º You have to specify EXIT 4 for this. º º If you want to send a message back to the originating server that the º º mail is accepted to avoid some servers trying to mail it again to º º you multiple times, specify EXIT 2 º º The infected email is placed in the mailbox of a user Contaminated º º and a warning email is sent to the addressee telling that an infected º º email has been intercepted by the server and giving some information º º to possible identify the sender. º º There is also a warning email sent to the sender of the infected º º email. º º º ºThis filter script needs the tool qmail.cmd of Peter Moylan to place º ºemails in the Forward queue º º º ºThis filter creates two files in the program directory of Weasel º º filternvc.lst º º filtermailinfo (this file must already exist and contain your own º º message for the addressee(s) of the infected email º º filtermailwarning (this file must already exist and contain your º º own warning message for the sender of the infected º º email º º filtersendinfo º º filtersendwarning º º º ºCredits : º º Many thanks to Bas Heijermans for giving the ideas that lead to º º the development of this routine and for the extensive help in º º testing it. º º º ºAt least Weasel version 1.40 or later is required. º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ*/ /* $Id: filter.cmd,v 1.2 2002/04/19 15:32:54 JOHN Exp JOHN $ */ CALL RxFuncAdd 'SysLoadFuncs', 'RexxUtil', 'SysLoadFuncs' CALL SysLoadFuncs PARSE ARG namefile messagefile header.returnpath = '-' header.replyto = '-' header.from = '-' header.efor = '-' header.edate = '-' header.subject = '-' VirusName = 'could not be specified' NormanInfoFile = 'virusnvc.lst' MailInfoFile = 'virusmail_to' MailWarningFile = 'virusmail_sender' SendFile = 'virussend_to' SendWarning = 'virussend_sender' FromEmail = 'postmaster@exssl.dnsalias.org' /* Enter here your own email address */ ServerFrom = '-' /* Borrowing some code from Peter Moylan here to determine the MailRoot */ Nul = '00'X MailRoot = SysIni( 'WEASEL.INI', '$SYS', 'MailRoot' ) j = POS( Nul, MailRoot ) IF j > 0 THEN MailRoot = LEFT( MailRoot, j-1 ) MailRoot = STRIP( MailRoot ) MailRoot = TRANSLATE( MailRoot, '|', '/' ) /* End of borrowing */ '@nvcc.exe /CP /C /N /U /BS- 'messagefile' > 'NormanInfoFile IF RC = 1 THEN DO /*****************************************************************/ /* Copy infected message to the mailbox of the user Contaminated */ lastbackslash = LASTPOS( '\',messagefile ) lengthname = LENGTH( messagefile ) filename = RIGHT( messagefile, lengthname - lastbackslash ) PARSE VAR filename name '.' extension 'copy 'messagefile MailRoot'contaminated\'name'.MSG' /*************************************************************************/ /* Use the data in the namefile to specify the sender and the addressees */ /* Send warning emails to the addressees and the suspected sender */ /* Determine the name of the detected virus */ line = LINEIN( namefile ) /* read away client_ip & name */ line = LINEIN( namefile ) /* read away sending hostname */ line = LINEIN( namefile ) /* sender */ PARSE VAR line '<' ServerFrom '>' line = LINEIN( namefile ) /* read away blank line */ CALL ScanAddresses messagefile line = LINEIN( NormanInfoFile ) DO WHILE LINES( NormanInfoFile ) PARSE VAR line skip1 '-> ' VirusName IF VirusName >< '' THEN LEAVE ELSE line = LINEIN( NormanInfoFile ) END CALL CreateMail DO WHILE LINES( namefile ) domain = '' line = LINEIN( namefile ) /* recipients */ PARSE VAR line user '@' domain IF domain >< '' THEN DO IF TRANSLATE(user) == 'SSL-LIST' THEN line = 'webmaster@'||domain 'cmd /c qmail.cmd -f' FromEmail '-t' line SendFile END END CALL CreateWarning 'cmd /c qmail.cmd -f' FromEmail '-t' ServerFrom SendWarning /******************************************************************************/ /* Change the first line of the supplied namefile to specify a new return */ /* message for the mailserver */ /* Don't forget to change EXIT 2 to EXIT 4 if you want the message to be sent */ status = LINEOUT( namefile, '554 Mail rejected by server because of a detected virus', 1 ) /***********/ /* Cleanup */ CALL SysFileDelete SendFile CALL SysFileDelete SendWarning EXIT 2 END ELSE EXIT 0 /*ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³Procedure ScanAddresses ³ ³ ³ ³Purpose : ³ ³ Try to get some useful information to give the addressee an idea of whom³ ³ the infected email is coming from. ³ ³ The gathered information is stored in the global variable header.xxxx ³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ;*/ ScanAddresses: procedure EXPOSE header. PARSE ARG msgfile found.ReturnPath = 0 found.Received = 0 charread = CHARIN( msgfile ) CHARIN( msgfile, 1, 0 ) totalchar = CHARS( msgfile ) DO WHILE LINES( msgfile ) line = LINEIN( msgfile ) PARSE VAR line headerparam ': ' headerremain headerparam = TRANSLATE( headerparam ) SELECT WHEN headerparam = 'RETURN-PATH' THEN IF found.ReturnPath = 0 THEN DO PARSE VAR headerremain '<' header.returnpath '>' found.ReturnPath = 1 END WHEN headerparam = 'REPLY-TO' THEN header.replyto = headerremain WHEN headerparam = 'FROM' THEN header.from = headerremain WHEN headerparam = 'RECEIVED' THEN DO IF found.Received = 0 THEN DO receiveremain = 'a' DO WHILE receiveremain >< '' receiveremain = '' remainingchar = CHARS( msgfile ) line = LINEIN( msgfile ) PARSE VAR line nextlinefound WITH 2 receiveremain IF nextlinefound = '09'x | nextlinefound = '20'x THEN headerremain = headerremain || receiveremain ELSE DO CALL CHARIN msgfile, totalchar - remainingchar, 0 LEAVE END END PARSE VAR headerremain . 'for ' lfor ';' . IF lfor >< '' THEN DO PARSE VAR lfor firstc 2 . IF firstc = '<' THEN PARSE VAR lfor '<' header.efor '>' ELSE header.efor = lfor END found.Received = 1 END END WHEN headerparam = 'DATE' THEN header.edate = headerremain WHEN headerparam = 'SUBJECT' THEN header.subject = headerremain WHEN headerparam = 'MESSAGE-ID' THEN LEAVE OTHERWISE NOP END END RETURN /*ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³Procedure CreateMail ³ ³ ³ ³Purpose : ³ ³ Create a file containing the information gathered from the infected email ³ ³ and the name of the virus found by NVC ³ ³ ³ ³ A new file (name is held in the variable SendFile) is created. ³ ³ First the necessary header information is added to the file. ³ ³ Then the contents of the info file (name is held in the variable MailInfoFile)³ ³ is appended to this new file. You can specify your own message in this ³ ³ info file. ³ ³ Then the header information that was gathered from the infected email is ³ ³ appended to this new file. ³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ;*/ CreateMail: PROCEDURE EXPOSE header. MailInfoFile NormanInfoFile SendFile ServerFrom VirusName CALL LINEOUT SendFile, 'Subject: Virus warning' CALL LINEOUT SendFile, '' DO WHILE LINES( MailInfoFile ) CALL LINEOUT SendFile, LINEIN( MailInfoFile ) END CALL LINEOUT SendFile, '-- Server info --' CALL LINEOUT SendFile, 'Arrived at server from : ' ServerFrom CALL LINEOUT SendFile, 'The server has already sent a warning email to this user' CALL LINEOUT SendFile, '' CALL LINEOUT SendFile, '-- Info from infected email --' CALL LINEOUT SendFile, 'Return-Path : ' header.returnpath CALL LINEOUT SendFile, 'Reply-To : ' header.replyto CALL LINEOUT SendFile, 'From : ' header.from CALL LINEOUT SendFile, 'Date : ' header.edate CALL LINEOUT SendFile, 'For : ' header.efor CALL LINEOUT SendFile, 'Subject : ' header.subject CALL LINEOUT SendFile, '-' CALL LINEOUT SendFile, 'Virusname : ' VirusName CALL LINEOUT SendFile RETURN /*ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³Procedure CreateWarning ³ ³ ³ ³Purpose : ³ ³ Create a file containing a warning message for the suspected sender of the ³ ³ infected email. ³ ³ ³ ³ A new file (name is held in the variable SendWarning) is created. ³ ³ Then the contents of the info file (name is held in the variable MailWarningFile)³ ³ is placed to this new file. You can specify your own message in this ³ ³ info file. ³ ³ Then the name of the detected virus is appended to this file. ³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ;*/ CreateWarning: PROCEDURE EXPOSE MailWarningFile SendWarning VirusName CALL LINEOUT SendWarning, 'Subject: Virus warning' CALL LINEOUT SendWarning, '' DO WHILE LINES( MailWarningFile ) CALL LINEOUT SendWarning, LINEIN( MailWarningFile ) END CALL LINEOUT SendWarning, 'Detected virus :' VirusName CALL LINEOUT SendWarning RETURN