477
社区成员
发帖
与我相关
我的任务
分享[Mail] 关于quarantine-attachments屏蔽传奇服务器回送密码邮件的问题
最近我的qmail scanner老是把传奇服务器发来的密码邮件当作病毒给拦截了,
我该怎么更改quarantine-attachments.txt的内容才能防止屏蔽这些邮件呢?
被屏蔽的邮件发给管理员的如下:
Attention: service@mails.shanda.com.cn
A problem was found in an Email message you sent.
This Email scanner intercepted it and stopped the entire message
reaching its destination.
The problem was reported to be:
Disallowed breakage found in header name - potential virus
Please contact your I.T support personnel with any queries regarding this
policy.
Your message was sent with the following envelope:
MAIL FROM: service@mails.shanda.com.cn
RCPT TO: ab@s.com.cn
... and with the following headers:
---
MAILFROM: service@mails.shanda.com.cn
Received: from unknown (HELO mails.shanda.com.cn) (61.172.242.14)
by 0 with SMTP; 8 Dec 2003 14:50:44 -0000
Received: (qmail 16247 invoked from network); 8 Dec 2003 14:44:56 -0000
Received: from unknown (HELO 61.172.242.14) (61.151.255.11)
by mails.shanda.com.cn with SMTP; 8 Dec 2003 14:44:56 -0000
Mime-Version: 1.0
Content-Type: Text/HTML;charset=GB2312
Date: Mon, 08 Dec 03 14:46:42 GMT
From: 盛大客服<service@mails.shanda.com.cn>;
To: <ab@s.com.cn>;
Reply-To: service@mails.shanda.com.cn
cc :
Subject: 您取回的《传奇》帐号和密码
X-Mailer:
---
The original message is kept in:
hr09:/var/spool/qmailscan/quarantine
where the System Anti-Virus Administrator can further diagnose it.
The Email scanner reported the following when it scanned that message:
---
---perlscanner results ---
problem 'Disallowed breakage found in header name - potential virus' found in message
---
我的quarantine-attachments.txt的内容[root@mail1 qmailscan]# cat quarantine-attachments.txt
# Sample of well-known viruses that perlscan_scanner can use
#
# This is case-insensitive, and TAB-delimited.
#
# ******
# REMEMBER: run /var/qmail/bin/qmail-scanner-queue.pl -g after
# this file is modified
# ******
#
# Format: three columns
#
# filename<TAB>;size (in bytes)<TAB>;Description of virus/whatever
#
# OR:
#
# string<TAB>;Header<TAB>;Description of virus/whatever
#
# [this one allows you to match on (e.g.) Subject line.
#
# NOTE 1: This is the crudest "virus scanning" you can do - we are
# arbitrarily deciding that particular filenames of certain sizes contain
# viruses - when they may not. However this can be useful for the times
# when a new virus is discovered and your scanner cannot detect it (yet).
#
# NOTE 2: This is only good for picking up stand-alone viruses like the
# following. Macro viruses are impossible to detect with this method as
# they infect users docs.
#
# NOTE 3: Wildcards are supported. This system can also be used to deny
# Email containing "bad" extensions (e.g. .exe, .mp3, etc). No other
# wildcard type is supported. Be very careful with this feature. With
# wildcards, the size field is ignored (i.e. any size matches).
#
# .exe 0 Executable attachment too large
#
# That would ban .EXE files from your site (but would
# still allow .zip files...
#
# .mp3 0 MP3 attachments disallowed
#
# ...would stop any Email containing MP3 attachments passing.
#
# NOTE 4: No you can't use this to ban any file (i.e. *.*) that's over
# a certain size - you should
# "echo 10000000 >; /var/qmail/control/databytes"
# to set the maximum SMTP message size to 10Mb.
#
# NOTE 5: The second option allows you to match on header. This would allow
# you to block Email viruses when you don't know anything else other than
# there's a wierd Subject line (or From line, or X-Spanska: header, ...).
# Note that it's a case-sensitive, REGEX string, and the system will
# automatically surround it with ^ and $ before matching. i.e. if you
# want wildcards, explicitly put them in...
#
# The string _must_be_ "Virus-" followed by the header you wish to match
# on - followed by a colon (.
#
# e.g.
#
# Pickles.*Breakfast Virus-Subject: Fake Example Pickles virus
#
# will match "Subject: Pickles for Breakfast" - and
# not "Subject: Pickles - where did you go?"
#
#
# NOTE 6: Similar to the headers option, you can match on the mail ENVELOPE
# headers - i.e. "MAIL FROM:" and "RCPT TO:". These are identical to
# Virus-<header>;, except that the header names are MAILFROM and RCPTTO only.
#
# e.g.
#
# bogus@address.here Virus-MAILFROM: Bad mail envelope not allowed here!
#
# NOTE 7: Another "faked" header - "Virus-TCPREMOTEIP" can be used to match
# actions against the IP address of the SMTP client.
#
EICAR.COM 69 EICAR Test Virus
Happy99.exe 10000 Happy99 Trojan
zipped_files.exe 120495 W32/ExploreZip.worm.pak virus
ILOVEYOU Virus-Subject: Love Letter Virus/Trojan
message/partial.* Virus-Content-Type: Message/partial MIME attachments blocked by policy
#The following matches Date: headers that are over 100 chars in length
#these are impossible in the wild
.{100,} Virus-Date: MIME Header Buffer Overflow
.{100,} Virus-Mime-Version: MIME Header Buffer Overflow
.{100,} Virus-Resent-Date: MIME Header Buffer Overflow
#
#Let's stop that nasty BadTrans virus from uploading your keystrokes...
ZVDOHYIK@yahoo.com|udtzqccc@yahoo.com|DTCELACB@yahoo.com|I1MCH2TH@yahoo.com|WPADJQ12@yahoo.com|smr@eurosport.com|bgnd2@canada.com|muwripa@fairesuivre.com|eccles@ballsy.net|S_Mentis@mail-x-change.com|YJPFJTGZ@excite.com|JGQZCD@excite.com|XHZJ3@excite.com|OZUNYLRL@excite.com|tsnlqd@excite.com|cxkawog@krovatka.net|ssdn@myrealbox.com Virus-To: BadTrans Trojan exploit!
#
# These are examples of prudent defaults to set for most sites.
# Commented out by default
#.vbs 0 VBS files not allowed per Company security policy
#.lnk 0 LNK files not allowed per Company security policy
#.scr 0 SCR files not allowed per Company security policy
#.wsh 0 WSH files not allowed per Company security policy
#.hta 0 HTA files not allowed per Company security policy
#.pif 0 PIF files not allowed per Company security policy
911.jpg 0 911 jpg file
# ******
# REMEMBER: run /var/qmail/bin/qmail-scanner-queue.pl -g after
# this file is modified
# ******
#
# EOF
谢谢!
...全文
请发表友善的回复…
发表回复
