[PLUG] stopping outgoing virus mail

AthlonRob athlonrob at axpr.net
Mon Mar 17 13:50:02 UTC 2003


On Mon, 2003-03-17 at 12:13, Carla Schroder wrote:
> I'm trying to figure out a way to block outgoing email generated by a virus. 
> The idea is to stop it before it gets out into the world, and log the 
> activity for when the admin arrives to work refreshed and alert after an 
> unbroken night's sleep. 
> 
> I don't even know if it's possible, anyone have any brilliant ideas? The usual 
> virus-scanners check both incoming and outgoing mail, I'm looking for a way 
> to do it with iptables rules or procmail something similar. Don't even let it 
> past the firewall. Seems like there ought to be something to base a generic 
> ruleset on. 

You can't well block outgoing viruses with iptables unless you write
some code to capture and reconstruct smtp packets, then scan the
reconstructed mail for viruses... 

I thought procmail was for local mail delivery?

Use AMaViS.  I'm pretty sure you can specify you don't want it scanning
incoming email (but why not?).  If you're working for a nonprofit
organization, you can use it in conjunction with F-Prot for free. 
Otherwise, you might need to buy some AV software.

Whenever a virus-ridden email comes through my server, incoming or
outgoing, everybody involved is notified.  The sender is emailed saying
they sent a virus, the recipient is notified saying somebody tried to
send them a virus (and as a result, the email wasn't delivered), and the
postmaster is notified, saying somebody tried to send a virus through my
system.

Rob





More information about the PLUG mailing list