Can I hand edit the procmailrc.mharc file to add rules which will filter
SoBig viruses out before mharc processes the mail?
I thought by now we'd be past this and that the infrastructure guys
would have been able to come up with a way to filter these messages, but
no such luck. Last night two of my archived lists received over 4000
Sobig emails. I was thinking perhaps I could put a procmail rule in
like:...
:O:
* ^Subject:.*(Re: Details|Re: Approved|Re: Re: My details|Re: Thank
you!|Re: That movie|Re: Wicked screensaver|Re: Your application|Thank
you!|Your details)
/dev/null
or perhaps $BASEDIR/virus as the action, since deleting mail directly
with procmail is generally a bad idea.
I'm curious if a hand edit in that file will cause problems when running
make or make rebuild...either by mucking things up or by the programs
rewriting the procmail file with out my hand edit.
On Wed, 2003-08-20 at 13:18, Earl Hood wrote:
On August 20, 2003 at 10:09, "Sean M. Alderman" wrote:
I'm curious what your collective opinions are on the best way to remove
multple virus messages from multiple archives are. We've had a storm of
the messages from the W32/Sobig(_dot_)1(_at_)MM worm archived over the past
few day
or so.
My first thought was to write a script to yank the messages out of the
raw mbox files and follow that up with a make rebuild. I'm not sure how
long that might take, so I thought I'd see if there might be better
alternatives.
Message deletion is a known problem with mharc, and I have been
contemplating on how a deletion system could be implemented, mainly
on how one would designate which messages should be deleted.
For now, things have to be done manually. You should delete the
messages from the raw mbox files. The tricky part is what to do
about the HTML archives.
As for a rebuild, it depends on the size of your archives and
the capabilities of your system. At a minimum, you can delete the
attachment files from the archives so users try not to download them
from the archives.
You could try to get mhonarc to remove the message from the archives
minus doing a rebuild, but it would require to get all the command-line
options right so the archives are updated properly. This is where
having mharc doing the deletion itself would be helpful. A possible
hack (in order to avoid a complete rebuild) is to do the following:
1. Run 'make disable'. This way no auto-cron-based processing will
be done while making edits to the archive.
2. Run 'mhonarc -rmm' directly to each period sub-archive of each
archive with the viral messages to delete the messages. Note,
this will cause some pages to revert to default layout settings,
but we will fix that in the next step.
3. Run 'make editidx'. This will re-edit the pages of each archive
so the proper layout settings are applied. You can explicitly
state which archives to re-edit by doing the following instead:
<mharc-root>/bin/web-archive -verbose -editidx <arch1> <arch2> ....
The -verbose will tell you what is going on.
4. Run 'make enable'. This will re-enable auto updates to the
archives.
Editidx can take some time depending on the size of the archive, but
it is faster than doing a complete rebuild.
BTW, on rebuilds, if not all of your archives have been polluted, you
can just rebuild the ones with viral messages. You can do this by
invoking web-archive script directly:
<mharc-root>/bin/web-archive -verbose -rebuild <archive1> <archive2> ...
If you are really concerned about the overhead of rebuilds, or
do any of the above, you can try to modify mharc scripts directly
to make things more efficient.
--ewh
---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHARC-USERS
--
Sean M. Alderman
ITRACK Systems Analyst
PACE/NCI - NASA Glenn Research Center
(216) 433-2795
If you took all of the grains of sand in the world, and lined them up
end to end in a row, you'd be working for the government! -- Mr.
Interesting
---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHARC-USERS
