Thanks to Zhiliang for the assist on the recipe. I modified it a bit, as
I decided to change the desired outcome. In Zhiliang's code, the entire
[root(_at_)mail2 /root]# een mailed to the admins at their domain. Since I'm a
bit grumpy already, Command terminated on signal 9.thered every time one
of my users did something stupid, so I decided to just reply to the sender
and let them assume the responsibility. If it was one of my users, I
also notified our support staff in case the user called in for
assistance. Also, I didn't think sending a warning about a potential
virus contamination in a message that contained the active payload was a
responsible option. A message to an admin unfortunate enough to manage M$
ware could end up with an infected administrator mailbox, propogating the
virus even further. Here is my finished recipe and perl script if anyone else
is interested:
:0
* B ?? (kak\.hta|alert.*Kagou-Anti-Kro$oft says not today)
{
:0c # save a temp copy of the mail
/root/scripts/kak.mail
:0c # call a perl program to do the mailing
| /root/scripts/kakmailer.pl
:0 # pile the mail somewhere in case ...
/tmp/virus
}
#! /usr/bin/perl
($from, $to, $subject);
$mailprog='/usr/sbin/sendmail';
open F, "/root/scripts/kak.mail";
while (<F>) {
if (($_ =~ /^From:/) and (!$from)) {
chop; chop;
$from = $_;
@email = split(/\@/,$from);
$host = $email[1];
@user = split(/\W*\s+\W*/,$email[0]);
$username = $user[$#user];
}
if (($_ =~ /^To:/) and (!$to)) {
chop;
$to = $_;
}
if (($_ =~ /^Subject:/) and (!$subject)) {
chop;
$subject = $_;
}
}
open MAIL, "|$mailprog -t";
print MAIL "To: $username\(_at_)$host\n";
print MAIL "From: support\(_at_)wcc(_dot_)net\n";
if ($host eq "wcc.net") {
print MAIL "Cc: support\(_at_)wcc(_dot_)net\n";
}
print MAIL "Subject: Possible KAK Virus Infection\n\n";
print MAIL "You recently sent a message $to with the $subject \n";
print MAIL "that was blocked by our system because it appeared to contain
the \n";
print MAIL "KAK virus. To remove the virus from your infected system(s),
please \n";
print MAIL "and run the KAK virus cleaner from
http://support.wcc.net/kakcleaner.exe\n\n";
if ($host eq "wcc.net") {
print MAIL "Call Tech Support at 234-5678 for further
assistance.\n\nThank you for using West Central Net.\n";
}
else {
print MAIL "Contact your ISP or system Technical Support for
further assistance.\n";
}
close MAIL;
close F;
`/bin/rm /root/scripts/kak.mail`;
exit;
--
===============================================
Kip Turk phone: 915.234.5678
Systems Administrator or 800.695.9016
West Central Net fax: 915.656.0071
===============================================
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail