From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <597fdf052e4773580b161eaf7e169012@plan9.bell-labs.com> From: David Presotto To: 9fans@cse.psu.edu MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: [9fans] upas/vf Date: Wed, 24 Sep 2003 05:11:07 -0400 Topicbox-Message-UUID: 44c03b72-eacc-11e9-9e20-41e7f4b1d025 I just updated upas/vf, upas/smtpd, and /sys/lib/mimetypes to dump any mail that contains file extentions that in /sys/lib/mimetypes have an 'r' in the 5th field. At the moment that includes .exe, .com, .scr, .bat, .com, and .pif; all of which I saw the virus being spread with. To use it, you'll need the following two files 1) an updated /rc/bin/service/tcp25 #!/bin/rc #smtp serv net incalldir user exec upas/smtpd -m /mail/lib/vfsend -n $3 2) the file /mail/lib/vfsend #!/bin/rc rfork s /bin/upas/vf -r|upas/send $* If you take out the -r option to vf, it will also wrap any attachments that have 'n' in the 5th field of mimetypes with a wrapper that keeps them from accidentally being executed (its old behaviour). If you take out the rfork s, the smtpd won't even send an error return to the other end, it'll just die. You might want to do this. I don't on the off chance that someone might legitimately send something. I still have to correct rfc822.y so that it doesn't get confused by badly fomed headers but I have to relearn yacc error recovery and experiment a bit first. Luckily, those messages are in the noise. This is not to turn anyone off to the bayesian stuff. I just want to catch the cruft earlier and waste as little of my system as possible, ala Boyd. Also, the smtod now has a flag -D that delays response for 15 seconds on the hope that spamers will go away. It works some of the time.