Virus Sent From My Subnet

Julian Field mailscanner at ecs.soton.ac.uk
Fri Sep 20 19:12:23 IST 2002


Would addint the IP address to the contents of the virus notice do the job?
Then you can just filter all messages containing an IP address you own into
another mailbox. That should be an easy change. Here are patches for V4 and
the latest V3 (though you should be able to apply it to pretty old versions
too).

The patch for V4 is this:

--- Message.pm.old      Fri Sep 20 08:55:05 2002
+++ Message.pm  Fri Sep 20 19:17:10 2002
@@ -1484,15 +1484,17 @@
    my $to   = join(', ', @{$this->{to}});
    my $subj = $this->{subject};
    my $rept = join('   Report: ', values %{$this->{allreports}});
+  my $ip   = $this->{clientip};

    my($result, $headers);

    $result = "\n" .
-            "   Sender: $from\n" .
-            "Recipient: $to\n" .
-            "  Subject: $subj\n" .
-            "MessageID: $id\n" .
-            "   Report: $rept\n";
+            "    Sender: $from\n" .
+            "IP Address: $ip\n" .
+            " Recipient: $to\n" .
+            "   Subject: $subj\n" .
+            " MessageID: $id\n" .
+            "    Report: $rept\n";

    if (MailScanner::Config::Value('noticefullheaders', $this)) {
      $headers = join("\n ", @{$this->{headers}});

And the patch for V3 is this:

--- sendmail.pl.old     Wed Aug 28 14:17:22 2002
+++ sendmail.pl Fri Sep 20 19:19:53 2002
@@ -1394,11 +1394,12 @@

      print SENDMAIL <<EONOTE2;

-   Sender: $from
-Recipient: $to
-  Subject: $subject
-MessageID: $id
-   Report: $report
+    Sender: $from
+IP address: $relay
+ Recipient: $to
+   Subject: $subject
+ MessageID: $id
+    Report: $report
  EONOTE2
      $counter++;


At 18:56 20/09/2002, you wrote:
>W32/Klez.H at mm is getting to be a real pain.
>
>I understand it lies about the email address it comes for its own
>protection.  I wondered if there is a way to have Mailscanner send me an
>alert everytime a certain virus(this one in particuliar) orginates from an
>IP in my subnet.  That way, even if it lied about the email address I could
>look up in my logs to see who had that IP and tell them to clean there
>system.
>
>Another way that could work.
>
>"Warning: E-mail viruses detected"  could be changed too: "Warning: E-mail
>viruses detected *local-origin*"
>
>Is that viable?
>
>Matthew H

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ



More information about the MailScanner mailing list