[9fans] upas/vf

[9fans] upas/vf

[David Presotto]

I just updated upas/vf, upas/smtpd, and /sys/lib/mimetypes
to dump any mail that contains file extentions that in
/sys/lib/mimetypes have an 'r' in the 5th field.  At the
moment that includes .exe, .com, .scr, .bat, .com, and
.pif; all of which I saw the virus being spread with.

To use it, you'll need the following two files

1) an updated /rc/bin/service/tcp25

#!/bin/rc
#smtp serv net incalldir user
exec upas/smtpd -m /mail/lib/vfsend -n $3

2) the file /mail/lib/vfsend

#!/bin/rc
rfork s
/bin/upas/vf -r|upas/send $*

If you take out the -r option to vf, it will also wrap any
attachments that have 'n' in the 5th field of mimetypes
with a wrapper that keeps them from accidentally being executed
(its old behaviour).

If you take out the rfork s, the smtpd won't even send an
error return to the other end, it'll just die.  You might
want to do this.  I don't on the off chance that someone
might legitimately send something.

I still have to correct rfc822.y so that it doesn't get
confused by badly fomed headers but I have to relearn
yacc error recovery and experiment a bit first.
Luckily, those messages are in the noise.

This is not to turn anyone off to the bayesian stuff.
I just want to catch the cruft earlier and waste as
little of my system as possible, ala Boyd.

Also, the smtod now has a flag -D that delays response
for 15 seconds on the hope that spamers will go away.
It works some of the time.

Re: [9fans] upas/vf

[matt]

>This is not to turn anyone off to the bayesian stuff.
>I just want to catch the cruft earlier and waste as
>little of my system as possible, ala Boyd.

This is actually wise.

Bayes is for catching Spam.

You should filter out viruses *before* they hit the Bayes because they can poison your corpus with their "as legitimate as possible" message bodies.

Re: [9fans] upas/vf

[boyd, rounin]

> >little of my system as possible, ala Boyd.

à la ...

> You should filter out viruses *before* they hit the Bayes because they can
poison
> your corpus with their "as legitimate as possible" message bodies.

i have a beer-mat / coaster / back of the envelope design to kill 'em
at the smtp level, which will 'learn' and fail 'safe'.

actually, it's currently on both sides of a an A4 page, 1 metre from me.

Re: [9fans] upas/vf

[Joel Salomon]

boyd, rounin said:
> i have a beer-mat / coaster / back of the envelope design to kill 'em
> at the smtp level, which will 'learn' and fail 'safe'.
>
> actually, it's currently on both sides of a an A4 page, 1 metre from me.
>

Can you post/link to/describe it?

--Joel

Re: [9fans] upas/vf

[boyd, rounin]

> Can you post/link to/describe it?

i can, but it might be described as too 'crude' and we wouldn't want that ...

and there will be no more mvs fiascos.