This is a template for infected script. Actual scripts will be produced by subst.sh and language files. #! /bin/sh # # Autogenerated from $Id: template,v 1.12 2002/10/09 22:01:09 mjt Exp $ # # This program is called by avcheck to handle infected mail. # Customize to fit your needs. # # This script is able to send slightly different messages to # local "virus administrator", to sender and/or to recipients # if original infected message: # administrator will receive complete original message # as attachment, and complete list of recipients. # sender will also receive complete message and list of # recipients, together with little instructions/suggestions # recipients will receive only headers of original message, # without original recipients (privacy) # # See below for customization. # # Author: Michael Tokarev # @STAMP@ # @ISTAMP@ # Public domain. # Arguments: # 1 - temporary filename with message MAIL="$1" # 2 - antivirus message if any (multiline, may be empty) if [ -n "$2" ] ; then MSG="$2"; else MSG="Infected by a virus"; fi # 3 - from (sender) address (mail from) SENDER="$3" # 4.. - recipients of a message shift 3 # $@/$* are original recipients. Always enclose in ""! HOST=`hostname` FROM=Antivirus-Daemon VIRUS_ALERT=virus-alert # set to empty to skip administrator email # The code below may be used to have several virus-alert addresses # depending on recipient domain. #VIRUS_ALERT= #for r ; do # case `echo ".$r" | sed -e 's/.*@//' -e 'y/[A-Z]/[a-z]/'` # domain1.example.com) # VIRUS_ALERT="$VIRUS_ALERT virus-alert@domain1.example.com ;; # domain2.example.com) # VIRUS_ALERT="$VIRUS_ALERT virus-alert@domain2.example.com ;; # domain3.example.com|domain4.example.com) # VIRUS_ALERT="$VIRUS_ALERT virus-alert@domain3.example.com ;; # *) # VIRUS_ALERT="$VIRUS_ALERT virus-alert@example.com ;; # esac #done #case "$VIRUS_ALERT" in # *\ *) VIRUS_ALERT=`echo $VIRUS_ALERT | tr ' ' '\n' | sort -u` ;; #esac # #INFORM_SENDER=y # send alert to sender (complete orig. message) INFORM_SENDER=h # send alert to sender (headers only) INFORM_RCPT=n # send alert to recipients BOUNCE=n # exit with EX_UNAVAILABLE to allow bounce by MTA # Set one of INFORM_SENDER or BOUNCE to y, or # sender will receive tow (non)delivery notifications FAKERS="(klez|bugbear|tanatos)" # list of viruses known to forge sender address # (egrep pattern, use "|" to separate names) # $SENDMAIL should be set by avcheck. Set it here it it is empty : ${SENDMAIL="/usr/sbin/sendmail -i"} EX_TEMPFAIL=75 EX_UNAVAILABLE=69 EGREP="egrep -i" trap "rm -f $MAIL; exit $EX_TEMPFAIL" 1 2 3 15 # in case of signal trap "rm -f $MAIL" 0 # cleanup at exit ################ log to syslog logger -p mail.warn -t "avcheck[$$]" "infected: from=$SENDER, to=$*, msg=$MSG" # start_alert type [to] start_alert() { boundary="avcheck-$1-$$-`date '+%Y%m%d%H%M%S'`@$HOST" if [ -n "$2" ] ; then echo "To: $2"; fi echo "From: $FROM Subject: $1 Virus-alert (sender: $SENDER) MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary=\"$boundary\" This is a multi-part message in MIME format. --$boundary Content-Type: text/plain; charset=@CHARSET@ Content-Description: Notification " } attach_message() { echo " --$boundary Content-Type: message/rfc822 Content-Description: Infected message Content-Disposition: attachment " cat "$MAIL" echo " --$boundary--" } attach_message_headers() { echo " --$boundary Content-Type: message/rfc822-headers Content-Description: Infected message headers Content-Disposition: inline " sed '/^$/q' "$MAIL" echo " --$boundary--" } ################ send to administrator if [ -n "$VIRUS_ALERT" ] ; then ( start_alert Administrator "$VIRUS_ALERT" @ADMIN_MSG@ attach_message ) | $SENDMAIL -f "" $VIRUS_ALERT if [ $? != 0 ] ; then echo "$0: unable to send administrator email" >&2 exit $EX_TEMPFAIL fi fi # VIRUS_ALERT administrator mail ################ send alert to sender if [ ".$INFORM_SENDER" = .y -o ".$INFORM_SENDER" = .h ] ; then # check if the message is from any list manager or from special address if echo "$SENDER" | $EGREP >/dev/null \ '(^$|daemon|request|bounce|mailer|postm|owner|lists|words|majordom|experts|\-(return|error))' then : # do nothing for special sender addresses elif sed -e '/^$/q' "$MAIL" | $EGREP >/dev/null \ '^((x-)?(loop|(mailing-)?list(name|member)|mailman)|precedence: (bulk|list|junk))' then : # do nothing when some special header present elif echo "$MSG" | $EGREP "$FAKERS" >/dev/null ; then : # do nothing for klez-like virus: sender is forged anyway else # really send sender virus alert ( start_alert Sender "$SENDER" @SENDER_MSG@ echo " --$boundary Content-Description: Delivery error report Content-Type: message/delivery-status Reporting-MTA: dns; $HOST" for i do echo " Final-Recipient: rfc822; $i Action: failed Status: 5.0.0 Diagnostic-Code: X-Avcheck; service unavailable. $MSG" done if [ $INFORM_SENDER = y ] ; then attach_message else attach_message_headers fi ) | $SENDMAIL -f "" -- "$SENDER" if [ $? != 0 ] ; then # Only warn if it is not possible to send sender alert: # from address may be modified by a virus. This is like a bounce: # if we can't send it, it should be dropped. It will be good to be # able to capture $SENDMAIL's output and log it as well. logger -p mail.warn -t "avcheck[$$]" \ "unable to send sender ($SENDER) notification" #echo "$0: unable to send sender email" >&2 #exit $EX_TEMPFAIL fi fi fi # INFORM_SENDER ################ send alert to recipients if [ ".$INFORM_RCPT" = .y ] ; then ( if [ $# = 1 ] ; then start_alert Recipient "$1" else start_alert Recipient fi @RCPT_MSG@ attach_message_headers ) | $SENDMAIL -f "" -- "$@" if [ $? != 0 ] ; then # The same as with sender: do not bail if it isn't possible to send # recipient notification. logger -p mail.warn -t "avcheck[$$]" "unable to send recipient notification" #echo "$0: unable to send recipient email" >&2 #exit $EX_TEMPFAIL fi fi # INFORM_RCPT if [ ".$BOUNCE" = .y ] ; then # bounce message back using standard MTA bounce feature echo "Message didn't pass the virus check: $MSG" >&2; exit $EX_UNAVAILABLE fi # normal exit, do not bounce it back: in case of content_filter, # mail will be discarded. exit 0