Virus epidemic, 11,000 messages waiting! (Script)

Alex Neuman alex at nkpanama.com
Wed Jun 16 00:53:18 IST 2004 

You could use Vispan, with a very high threshold (say, 50 messages per hour
with the same virus from the same IP) if you're paranoid. That way if you
get more than 50 viruses from the same IP within an hour, the IP gets
blocked in the access file.

I'm somewhat of a BOFH, so I set it on my own server to a lower number. Also
you can set the error message to a "450" error so that legit mail gets
resent after a while.

I believe there's an option within MailScanner called IPBlock.pm you could
also use for the same purpose, although Vispan is easy to get going.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Max Kipness
Sent: Tuesday, June 15, 2004 6:26 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Virus epidemic, 11,000 messages waiting! (Script)

Thanks to everybody for the suggestions. Will the pointers I read from
everyone, I ended up writing this script. It seemed to work, so if
anybody ever has the issue, here it is:

#!/usr/bin/perl

# Mail addressed to this recipient will be deleted from inbound queue
$recipient = 'user at domain.com';

opendir(DIR, "/var/spool/mqueue.in/")
        or die ("Cannot read dir: $!\n");

while ($message = readdir(DIR)) {

        if ($message =~ /qf/) {

                $id = (split /qf/, $message)[1];
                $qf_file = $message;
                $df_file = "df$id";

                open (MSG, "/var/spool/mqueue.in/$message")
                                or die ("Cannot open message: $!");

                while (<MSG>) {

                        if (/RPFD\:\<$recipient\>/){

                                unlink
("/var/spool/mqueue.in/$qf_file");
                                unlink
("/var/spool/mqueue.in/$df_file");
                                $cnt++

                        }
                }
        }
}

print "Deleted Total: $cnt\n";

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list