Tim's Sendmail REGEX Patches

Tim's Sendmail REGEX Patches

There is a second patch that migth be useful for very loaded servers here

. This patch is for sendmail 8.12.* and will allow for regular expression checks of the body of all messages. It is based on the existing MAP_REGEX work. They will apply to sendmail up to at least 8.12.9.

You must not use a version of sendmail prior to 8.12.9 without security patches.

Warning! Use of this may result in users not being able to report spam to your abuse@ email address!

Add the following line:
Krv2 regex -aVirus-Detect2 ^TVqQAAMAAAAEAAA
To protect aginst the W32.Klez and Bug Bear (or bbugbear) virus as well as some based on it. It also will filter most mime encoded executables that many viruses use to exploit windows.

If your running 8.11 then check out the 8.11.1 version.

  1. Get a copy of sendmail 8.12.9 (or newer) from sendmail.org
  2. Get a copy of the patch:
  3. Patch the source
    patch < regex_patch
  4. Fix up (create?) devtools/Site/site.config.m4
    add APPENDDEF(`confMAPDEF', `-DMAP_REGEX') (this may not be needed but wont hurt to add)
    add APPENDDEF(`confENVDEF', `-DREGEX_BODY')
  5. run sh ./Build
  6. update your cf/cf/config.mc by adding a LOCAL_CONFIG section like this:
    LOCAL_CONFIG
    #
    #  Regular expression to reject:
    #
    Kbodyregex regex -aMATCH ^(spam|SPAM)
    
  7. Make config.cf with
    make config.cf
  8. Test new config:
    ../../obj*/sendmail/sendmail -v -bs -C ./config.cf
    mail from: me@here.com
    rcpt to: root
    data
    spam message to test filter
    .
    
  9. Change the regex to a real list of spam. rebuild and test again
    LOCAL_CONFIG
    #
    #  Regular expression to reject:
    #
    # spam rejects
    Krs1 regex -aNoSpam (Millions of Email)
    Krs2 regex -a123.NoSpam (new auto today)
    Krs3 regex -aNoSpam (800-618-1495)
    # virus rejects
    Krv1 regex -aVirus-Detect1 (I send you this file in order to have your advice)
    Krv2 regex -aVirus-Detect2 ^TVqQAAMAAAAEAAA
    # collect all regex in one place
    Kbodyregex sequence rs1 rs2 rs3 rv1 rv2
    
    We can only add 12 regex patterns to a sequence map but we can add 12 sequence maps to each sequence map like this:
    Krs1 regex -aNoSpam (Millions of Email)
    Krs2 regex -aNoSpam (new auto today)
    Krs3 regex -aNoSpam (800-618-1495)
    ...
    Kss1 sequence rs1 rs2 rs3 rv1 [...]
    Kss2 sequence [upto 12 more...]
    Kbodyregex sequence ss1 ss2
    

My complete list is here.In the past few days each rule has filted this many messages:

The virus detect rule found 51 viruses in the same time.

If sendmail won't filter on the patterns, make sure you built it properly with the -DREGEX_BODY. The easy way is to remove the obj.* build directory and rerun ./Build

Changes since last version:

Stuff I would like to add:



Back to Tim's Homepage Back to current subject Related Links thogard@abnormal.com
 This page was last updated Wednesday, 16-Feb-2005 03:34:20 UTC Copyright 2000-2016 thogard™ is a trademark of Tim Hogard