AutoReject Rogue Virus / Worm Mail generating infected IP via sendmail access list

MailScanner is good at filtering out the emails with attached worms and viruses. However, it does this at the expense of a high server cpu load when there is a sudden influx of auto-generated email bombardment from an IP that has been infected.

Most recent of which causing havoc is the Nyxem.E (aliases: Email-Worm.Win32.Nyxem.e, Kama Sutra, W32/MyWife.d@MM) worm set to execute on the third of each month (e.g. February 3, 2006).

Here is a quick documentaion of what I have done to autoreject emails from ISPs that are generating rogue emails.

This setup has been used in Linux servers with Ensim installed, however it should be usable for others as well.

1. Requirements: MailScanner, Procmail, Sendmail, SquirrelMail
   
2. In "/etc/MailScanner/MailScanner.conf" check that the admin receives notification and should be the default unless you have changed it.
   

   Send Notices = yes
   

3. Set the root email to be forwarded to a user email account in "/etc/aliases" and rebuild aliases by running `newaliases`, if you don't have it already setup to do so.

   root: user@domain.tld
   

4. Set up a procmail filter for the user as below in "/home/virtual/domain.tld/home/user/.procmailrc" file.

   :0:
   * ^Subject:.*(Virus\?|Warning: E-mail viruses detected)
   Virus
   

5. Create a "Virus" folder from within SquirrelMail for the user.
6. Put the "sendmail_reject.sh" file in "/etc/cron.hourly".
   

   #!/bin/bash
   # sendmail_reject.sh
   
   
   ## Change variables as appropriate
   FIELD='IP Address:'
   VIRUS_EMAIL_FILE=/home/virtual/domain.tld/home/user/mail/Virus
   EMAIL_ACCESS_FILE=/etc/mail/access
   TMP_VIRUS_IP_FILE=/tmp/virus_ip.txt
   MAX_COUNT=5
   
   ## Nothing to change below
   
   /bin/grep "${FIELD}" $VIRUS_EMAIL_FILE | /usr/bin/tr -d ' ' | \
     /bin/awk -F : '{print $2}' | sort | uniq -c > $TMP_VIRUS_IP_FILE
   
   IP=`awk -F " " -v max="$MAX_COUNT" '{if ( $1 >= max ) print $2}' ${TMP_VIRUS_IP_FILE}`
   
   for x in $IP
   do
     grep "$x" $EMAIL_ACCESS_FILE
     if [ $? -ne 0 ]; then
       echo "# added on: `date`" >> $EMAIL_ACCESS_FILE
       echo "${x} REJECT" >> $EMAIL_ACCESS_FILE
     fi
   done
   
   /usr/bin/makemap hash ${EMAIL_ACCESS_FILE}.db < $EMAIL_ACCESS_FILE
   
   # Uncomment the line below to keep a history
   #/bin/cp -a $VIRUS_EMAIL_FILE ${VIRUS_EMAIL_FILE}_`date +%s`
   
   /bin/cat /dev/null > $VIRUS_EMAIL_FILE
   

7. Add the below line at the bottom of the "/etc/mail/access" file for tracking purpose.

   # Auto REJECT via hourly cron
   

That should be it. Please understand the whole process before trying to accomplish the same. This process could be hacked up to do the same for SPAM filtered emails as well...