<rant>
To some this will seem long and off-topic, and I'll offer my apology for
that right up top. And I'll also admit that part of the purpose of this
is selfishly fiendish, which will be obvious. But I don't believe it's
a total abuse, as others may have experienced the same frustration, here
and elsewhere, and might welcome a hint at a response.
Ok, I should count to 10. But I'm not. In past weeks, I've had 3 or 4
virus "alerts" generated as auto responses to list posts. Until today,
they'd all come from fb.co.nz. I sent them a *polite* response to the
first one, as *instructed*. Never heard diddly back. Those <expletive
deleted>. Got a couple more, and got a little less polite. Of course
that didn't help either. I set up my own auto ack, including a cc: to
the software vendor, and I'll be damned if the "alert" didn't change
just enough to get through the filter today. Then to add insult to
injury, two more arrived unrelated to the first. These don't identify
themselves, but 5 will get you 10 it's some other "commercial" software.
The irony is that the message blocked was an effective filter for the
very virus they're "protecting" people from, and those people's
presence on the list indicates their probable ability to implement it.
If only they could see it. That might be laughable, if it weren't so
damned brain-dead.
It's very arguable whether auto responding to someone who is infected
does any good anyway. But if it makes someone feel important, they
should at least make sure it's going only where it should. It's not only
possible, it's a given that there will be legitimate discussions in
legitimate venues when these things pop up. Blindly rejecting anything
that *might* *look* like its a virus is flat out moronic. Auto
responding to the same messages is worse than moronic. Quarantine them
if it's not clear cut and you choose not to take the risk. But denying
users the chance to see these messages - so simply and obviously
identifiable as *not* infected - is down right irresponsible. And
charging money for software that does it should be actionable.
So I offer the following:
(Note: if anyone does consider using any part of the following, there
are variable names, headers, a user name and domain name unique to my
setup. Check everything carefully, and test it thoroughly. Especially
make sure you're not autoresponding to a list message. I take extra
pains in that regard, but most of it depends on work done long before
this on an X-No-Spam: header. You must have some method to make sure
you're not auto-acking list messages.)
wsstar='[ ]*'
wsplus='[ ]+'
wsneg='[^ ]'
# This recipe cc:'s the end user whose mail was blocked, including an
# apology for putting them in the middle, but with my hope that putting
# them there might bring some pressure.
:0
* ! ^X-No-Spam: list
* ^Return-Path: <MAILER-DAEMON(_at_)tradersdata(_dot_)com>
* ^X-Envelope-To: <procmail1(_at_)tradersdata(_dot_)com>
* 1^0 ^Subject:.*Email Security Notification
* 1^0 B ?? following message.*stopped.*virus
* 1^0 B ?? If.*this mail was stopped in(correctly| error)
* -1^0
* B ?? MailMarshal
* ^\/Date:.*
{
xDATE="$MATCH"
:0
* $ B ?? ^${wsstar}\/${wsneg}[^ @]+(_at_)[^ @]+
{
xMAILTO=$MATCH
xCC=`formail -zx cc:`
:0
* ! xCC ?? @
* B ?? ^${wsstar}To:.*\/${wsneg}[^ @]+(_at_)[^ @]+
{ xCC=$MATCH }
:0
* 1^0 xCC ?? procmail\.org
* 1^0 xCC ?? Lists\.RWTH-Aachen\.DE
* 1^0 xCC ?? securityfocus\.com
{ xCC }
:0
* B ?? Mail scanning.*MailMarshal
{ mmCC="support(_at_)marshalsoftware(_dot_)com" }
:0 fb
| cat - >$PMDIR/tmp/mmalert.morons.tmp
:0 h
| ( formail -r -A "X-Loop: system(_at_)tradersdata(_dot_)com" \
-I "Precedence: junk" \
-I "X-Mailer: Hey, Over Here! It's not LookOut... you Putz" \
-I "To: $xMAILTO" \
-I "From: postmaster(_at_)tradersdata(_dot_)com" \
-I "cc: $xCC $mmCC procmail1(_at_)tradersdata(_dot_)com" ; \
echo -ne "${xCC:+[ $xCC:\n}"; \
echo -ne "${xCC:+ Sorry you\047re in the middle. Maybe they}"; \
echo -ne "${xCC:+\047ll care that you\047re affected...\n}"; \
echo -ne "${xCC:+ ...Nah! These bozos couldn\047t give a}"; \
echo -ne "${xCC:+ rat\047s ass about that, could they? ]\n\n}"; \
cat $PMDIR/txt/mmalert.morons; \
echo "---(original message $xDATE)---"; \
cat $PMDIR/tmp/mmalert.morons.tmp \
|perl -e '$/=undef;$s=<>;' \
-e '$s=~s/(---+=_NextPart.+)?Content-Transfer-Encoding:.+?\n//s;' \
-e '$s=~s/Content-Type: .+?\n//s;' \
-e '$s=~s/\s*charset\=.+?\n//s;' \
-e '$s=~s/---+=.*?\n//gs;$s=~s/^\n\s*\n/\n/gs;print $s,"\n";' \
) | $SENDMAIL -t
:0
/dev/null
}
}
:0
* ! ^X-No-Spam: list
* ^X-Envelope-To: <procmail1(_at_)tradersdata(_dot_)com>
* ^Subject:.*SirCam
* B ?? Your computer.*infected.*SirCam
* B ?? http://www.wired.com/news/technology/0,1282,45427,00\.html
* ^\/Date:.*
{
xDATE="$MATCH"
:0 fb
| cat - >$PMDIR/tmp/sircam.morons.tmp
:0
xMAILTO=| formail -zx From:
:0 h
| ( formail -r -A "X-Loop: system(_at_)tradersdata(_dot_)com" \
-I "Precedence: junk" \
-I "X-Mailer: Hey, Over Here! It's not LookOut... you Putz" \
-I "To: $xMAILTO" -I "cc: procmail1(_at_)tradersdata(_dot_)com" \
-I "From: postmaster(_at_)tradersdata(_dot_)com"; \
cat $PMDIR/txt/sircam.morons; \
echo -e "---(original message $xDATE)---\n"; \
cat $PMDIR/tmp/sircam.morons.tmp \
) | $SENDMAIL -t
:0
/dev/null
}
---(cut here: mmalert.morons)---
You have already been informed this message is in error.
If you can't fix it, maybe you should go back to your crayons.
I don't run Windows and CAN'T have the virus. Got it yet?
No, I didn't think so.
The suspect message is from a mail list dedicated to mail
filtering, and the very legitimate discussion (which, by the
way, you prevented your customer from seeing) had to do with
filtering the very virus you've "identified". Both you and
the software vendor might actually benefit from the discussion,
because intercepting this message was nothing short of brain-
dead pathetic. It was MIME Content-Type: TEXT/plain with no
attachment or multipart for God's sake.
Neither you nor the software vendor that produced the piece
crap that's generating these false matches has any business
being entrusted with anything having to do with a service
organization...unless your service is losing business for
yourself and the customers.
Generating these incorrect messages with a return path of
my MAILER-DAEMON is inexcusable, because they deserve to get
bounced. Since I can't do that without bouncing the whole
domain, you reap the same same annoying treatment you sow.
BTW, next step *is* to plonk the whole damn domain:
your.domain.here 550 Access denied to domains with moron mail admins
That ought to help you win over a couple more customers, eh?
Have a nice day.
---(cut here: mmalert.morons)---
---(cut here: sircam.morons)---
No, my computer is most certainly not infected with SirCam. Your
filter caught a message to the procmail (mail filtering software)
mail list discussing filtering sircam. There wasn't even an
attachment to carry the virus. Doh! Your filter is not only wrong,
it's seriously brain-dead. And sending auto-responses based on
that is completely wrong. I hope you are running this on behalf of
yourself only, and not diverting legitimate mail to other users.
FYI, the procmail list, from which you probably and erroneously
rejected this message, would teach you precisely how to prevent
this from happening. Although, if you have no better sense than to
send auto-responses to list messages - a truly piss-poor practice,
it's probably better if you just go back to your crayons.
And if it's somebody else's software, please uninstall it and tell
the vendor, and everyone else you can think of, how badly it sucks.
---(cut here: sircam.morons)---
It's such a shame that all it takes to set off these trigger happy
imbeciles is something like:
Hi! How are you ?
I send you this file in order to have your advice
See you later. Thanks
--
/"\
Don Hammond \ / ASCII Ribbon Campaign
Raleigh, NC US X Against HTML Mail,
/ \ and News Too
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail