* [9fans] upas/vf
@ 2003-09-24 9:11 David Presotto
2003-09-24 10:32 ` matt
0 siblings, 1 reply; 5+ messages in thread
From: David Presotto @ 2003-09-24 9:11 UTC (permalink / raw)
To: 9fans
I just updated upas/vf, upas/smtpd, and /sys/lib/mimetypes
to dump any mail that contains file extentions that in
/sys/lib/mimetypes have an 'r' in the 5th field. At the
moment that includes .exe, .com, .scr, .bat, .com, and
.pif; all of which I saw the virus being spread with.
To use it, you'll need the following two files
1) an updated /rc/bin/service/tcp25
#!/bin/rc
#smtp serv net incalldir user
exec upas/smtpd -m /mail/lib/vfsend -n $3
2) the file /mail/lib/vfsend
#!/bin/rc
rfork s
/bin/upas/vf -r|upas/send $*
If you take out the -r option to vf, it will also wrap any
attachments that have 'n' in the 5th field of mimetypes
with a wrapper that keeps them from accidentally being executed
(its old behaviour).
If you take out the rfork s, the smtpd won't even send an
error return to the other end, it'll just die. You might
want to do this. I don't on the off chance that someone
might legitimately send something.
I still have to correct rfc822.y so that it doesn't get
confused by badly fomed headers but I have to relearn
yacc error recovery and experiment a bit first.
Luckily, those messages are in the noise.
This is not to turn anyone off to the bayesian stuff.
I just want to catch the cruft earlier and waste as
little of my system as possible, ala Boyd.
Also, the smtod now has a flag -D that delays response
for 15 seconds on the hope that spamers will go away.
It works some of the time.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [9fans] upas/vf
2003-09-24 9:11 [9fans] upas/vf David Presotto
@ 2003-09-24 10:32 ` matt
2003-09-24 12:48 ` boyd, rounin
0 siblings, 1 reply; 5+ messages in thread
From: matt @ 2003-09-24 10:32 UTC (permalink / raw)
To: 9fans
>This is not to turn anyone off to the bayesian stuff.
>I just want to catch the cruft earlier and waste as
>little of my system as possible, ala Boyd.
This is actually wise.
Bayes is for catching Spam.
You should filter out viruses *before* they hit the Bayes because they can poison your corpus with their "as legitimate as possible" message bodies.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [9fans] upas/vf
2003-09-24 10:32 ` matt
@ 2003-09-24 12:48 ` boyd, rounin
2003-09-24 14:30 ` Joel Salomon
0 siblings, 1 reply; 5+ messages in thread
From: boyd, rounin @ 2003-09-24 12:48 UTC (permalink / raw)
To: 9fans
> >little of my system as possible, ala Boyd.
à la ...
> You should filter out viruses *before* they hit the Bayes because they can
poison
> your corpus with their "as legitimate as possible" message bodies.
i have a beer-mat / coaster / back of the envelope design to kill 'em
at the smtp level, which will 'learn' and fail 'safe'.
actually, it's currently on both sides of a an A4 page, 1 metre from me.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2003-09-24 14:57 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-09-24 9:11 [9fans] upas/vf David Presotto
2003-09-24 10:32 ` matt
2003-09-24 12:48 ` boyd, rounin
2003-09-24 14:30 ` Joel Salomon
2003-09-24 14:57 ` boyd, rounin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).