procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

KAK responder

2000-07-21 13:33:01
from [Kip Turk] [Permanent Link] 

Thanks to Zhiliang for the assist on the recipe.  I modified it a bit, as
I decided to change the desired outcome.  In Zhiliang's code, the entire
[root(_at_)mail2 /root]# een mailed to the admins at their domain.  Since I'm a
bit grumpy already, Command terminated on signal 9.thered every time one
of my users did something stupid, so I decided to just reply to the sender
and let them assume the responsibility.   If it was one of my users, I
also notified our support staff in case the user called in for
assistance.  Also, I didn't think sending a warning about a potential
virus contamination in a message that contained the active payload was a
responsible option.  A message to an admin unfortunate enough to manage M$
ware could end up with an infected administrator mailbox, propogating the
virus even further.  Here is my finished recipe and perl script if anyone else
is interested:

:0
* B ?? (kak\.hta|alert.*Kagou-Anti-Kro$oft says not today)
{
 :0c  # save a temp copy of the mail
 /root/scripts/kak.mail

 :0c  # call a perl program to do the mailing
 | /root/scripts/kakmailer.pl

 :0    # pile the mail somewhere in case ...
 /tmp/virus
}

#! /usr/bin/perl
($from, $to, $subject);
$mailprog='/usr/sbin/sendmail';
open F, "/root/scripts/kak.mail";
while (<F>)      {
        if (($_ =~ /^From:/) and (!$from))    {
                chop; chop;
                $from = $_;
                @email = split(/\@/,$from);
                $host = $email[1];
                @user = split(/\W*\s+\W*/,$email[0]);
                $username = $user[$#user];
        }
        if (($_ =~ /^To:/) and (!$to))  {
                chop;
                $to = $_;
        }
        if (($_ =~ /^Subject:/) and (!$subject))        {
                chop;
                $subject = $_;
        }
}
open MAIL, "|$mailprog -t";
print MAIL "To: $username\(_at_)$host\n";
print MAIL "From: support\(_at_)wcc(_dot_)net\n";
if ($host eq "wcc.net") {
        print MAIL "Cc: support\(_at_)wcc(_dot_)net\n";
}
print MAIL "Subject: Possible KAK Virus Infection\n\n";
print MAIL "You recently sent a message $to with the $subject \n";
print MAIL "that was blocked by our system because it appeared to contain
the \n";
print MAIL "KAK virus.  To remove the virus from your infected system(s),
please \n";
print MAIL "and run the KAK virus cleaner from
http://support.wcc.net/kakcleaner.exe\n\n";;
if ($host eq "wcc.net") {
        print MAIL "Call Tech Support at 234-5678 for further
assistance.\n\nThank you for using West Central Net.\n";
}
else    {
        print MAIL "Contact your ISP or system Technical Support for
further assistance.\n";
}
close MAIL;
close F;
`/bin/rm /root/scripts/kak.mail`;
exit;



-- 
===============================================
Kip Turk                    phone: 915.234.5678
Systems Administrator           or 800.695.9016 
West Central Net              fax: 915.656.0071
===============================================



_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • KAK responder, Kip Turk <=
Previous by Date:  Re: autoresponse to specific sender, Mike O.
Next by Date:  Re: Outlook Exploit Filter?, David W. Tamkin
Previous by Thread:  procmail/vpopmail filtering, Chester Chee
Next by Thread:  Sendmail...., Andrew Harrison
Indexes:  [Date] [Thread] [Top] [All Lists]