divert(-1) # # Copyright (c) 2003, 2004 Victor Ustugov # This hack is under BSD License # Redistributions of source code must retain the above copyright notice # # hacks disscussion's maillist - http://www.mta.org.ua/mailman/listinfo/sendmail-conf # # # Miscellaneous checks # divert(0) VERSIONID(`$Id: check_misc.m4,v 8.12-0.01 2003/09/12 09:46:32 corvax Exp $')dnl divert(-1) dnl HACK(`check_ip')dnl dnl dnl LOCAL_CONFIG dnl dnl # # Regular expression to reject SirCam worm # KSirCamWormMarker regex -f -a@SUSPECT multipart/mixed;.*boundary=----.+_Outlook_Express_message_boundary Knimda regex -a@MATCH ====_ABC[a-z0-9]+DEF_==== # # Regular expression to reject Content-Type field with "#" in boundary # KSpamContentType0 regex -f -a@SPAM multipart/alternative;.*boundary=\#+ # # Regular expression for reject Content-Type field as shown: # Content-Type: multipart/alternative; charset=koi8-r;boundary="----=_NextPart_551B6J0D8GGLA593A4K__6I8J" # Content-Type: multipart/mixed; charset=Windows-1251;boundary="----=_NextPart_A9707EH76230DE2G28B1CL75H" # KSpamContentType1 regex -f -a@SPAM multipart/[A-Za-z]+;.*charset="?[0-9A-Za-z-]+"?;.*boundary="?----=_NextPart_ # # Regular expression for reject Content-Type field as shown: # Content-Type: text/plain; charset="%Encoding" # KSpamContentType2 regex -f -a@SPAM text/plain;.*charset="?%Encoding"? KSpamContentType sequence SpamContentType0 SpamContentType1 SpamContentType2 Kmyquote dequote -s: dnl dnl LOCAL_RULESETS dnl dnl HContent-Type: $>+Check_Content_Type dnl SCheck_Content_Type dnl R text/html; charset="windows-1251"; charset=windows-1251 $#error $@ 5.7.1 $: "554 Malformed header" R $+ charset="%Encoding" $#error $@ 5.7.1 $: "554 Malformed header" R $+ boundary= "\#MYBOUNDARY\#" $#error $@ 5.7.1 $: "554 Malformed header" dnl R @SUSPECT $#error $@ 5.7.1 $: "554 Possible virus, see http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html" - ${Msg_Feedback} R $+ boundary=L1db82sd319dm2ns0f4383dhG $#error $@ 5.7.1 $: "554 I-Worm.Frethem.l virus" R $* boundary= "bound" $* $#error $@ 5.7.1 $: "554 Virus Win32.Aliz" R $* boundary="NextPart_000235" $#error $@ 5.7.1 $: "554 Virus Win32.HLLM.Gibe" R $* boundary="Boundary-a8dfidaoRadvfuck" $#error $@ 5.7.1 $: "554 Virus Win32.Fbound.12288" R $* ;; $* $#error $@ 5.7.1 $: "554 Mangled header" R $+ boundary="====_ABC1234567890DEF_====" $#error $@ 5.7.1 $: "554 Possible NIMDA.worm" R $* boundary="bound" $* $#error $@ 5.7.1 $: "554 Virus Win32.Aliz" dnl R $* boundary=AD_2000_PART_BOUNDARY_19990606 $#error $: 553 ${SpamMsg} R $* boundary=WC_MAIL_PaRt_BoUnDaRy_05151998 $#error $: 553 ${SpamMsg} R $+ $: $(SpamContentType $1 $: $1 $) R @SPAM $#error $: 553 Header Error R $+ $: $(SirCamWormMarker $1 $: $1 $) R $* boundary= "-_-_-_-_-_1234567890" $* $#error $@ 5.7.1 $: "550 Header Error" spam boundary R $* boundary= $* $: $1 boundary= $(myquote $2 $) dequote #R $* boundary= $* : Multipart : Boundary : $+ $#error $@ 5.7.1 $: "550 Header Error" spam boundary R $* boundary= $+ $: $(nimda $2 $: $1 boundary= $2 $) R @MATCH $#error $@ 5.7.1 $: "554 Virus Nimda/Badtrans" HX-Originating-IP: $>+CheckXOrigIP dnl SCheckXOrigIP dnl R $-.$-.$-.$- $: [$1.$2.$3.$4] enclose standalone IP R $* [$-.$-.$-.$-, $+] $* $: [$2.$3.$4.$5] strip extra data R $* $: $1 $| $>"CheckIP" $1 R $* $| $#$* $#$2 R $* $| $* $: $1 HContent-Disposition: $>Check_Content_Disposition dnl SCheck_Content_Disposition dnl R $- $@ OK R $- ; $+ $@ OK R Multipart message $#error $: "553 Possible virus, see http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html" - ${Msg_Feedback} R $* $#error $: "553 Illegal Content-Disposition" HX-MimeOLE: $>Check_X_MimeOLE dnl SCheck_X_MimeOLE dnl R Produced By Microsoft MimeOLE V(null).$* $#error $: 553 Bogus X-MimeOLE - ${Msg_Feedback} HX-Spanska: $>Spanska dnl SSpanska dnl # Happy99 worm detection (done in Spanska) # See http://www.datafellows.com/v-descs/love.htm R $* $#error $: 553 Your system is probably infected by the Happy99 worm; see http://www.symantec.com/avcenter/venc/data/happy99.worm.html - ${Msg_Feedback} dnl HSender: $>CheckSender dnl SCheckSender dnl R $* <> $#error $@ 5.7.1 $: "554 Illegal Sender" R EmailSender $* $#error $@ 5.7.1 $: "554 Filtered" dnl HX-MDMailing-List: $>CheckMList dnl HX-MDaemon-Deliver-To: $>CheckMList dnl dnl dnl # refuse MDaemon which presents null mail from <> dnl SCheckMList dnl dnl dnl R spam @ $+ $#error $@ 5.7.1 $: "554 Spam is blocked" dnl R $* $: $1 $| < $&f > check envelope-from dnl R $* $| < > $#error $@ 5.7.1 $: "553 Envelope-from required" dnl R $* $| <$*> $: $1 HX_Mailer: $>BanBulk HX-Precedence-Ref: $>BanBulk # X-Bulkmail used by sf-news@securityfocus.com :( #HX-Bulkmail: $>BanBulk HX-RECEIVED-IP: $>BanBulk HX-Encoding: $>BanBulk HReply_to: $>BanBulk HX-: $>BanBulk HX-X: $>BanBulk H1: $>BanBulk H2: $>BanBulk H3: $>BanBulk H4: $>BanBulk HX-NaTegUtuIdi: $>BanBulk HX-NaTegIdiNa: $>BanBulk HX-Advertisement: $>BanBulk HX-PMFLAGS: $>BanBulk HX-AD2000-Register: $>BanBulk HX-AD2000-Serial: $>BanBulk dnl SBanBulk dnl # R $* $#error $: 553 ${SpamMsg} R $* $#error $@ 5.7.1 $: "554 Spam is blocked" dnl