HOWTO: use sendmail to block messages

faq
search
add article
cool-stuff
how-to
main
tips

HOWTO: use sendmail to block messages

Posted by Jason on Friday August 22, @05:24PM
from the W32.Sobig.F@mm sucks dept.
Due to the recent flood of emails on the net caused by the Sobig virus/worm, I though I should share with everyone how to use Sendmail rules to block these and other messages at the server.

The first thing you have to know is that sendmail consists mostly of one very large text file which contains most of the configuration information in the form of rules. The name of the text file is sendmail.cf. The rules can be modified and other rules can be added by simply editing this text file and thats exactly what has to be done to add a rule for blocking messages. The second thing you need to know is that the sendmail.cf file is a huge beast, therefore step one is very important.

The process consists of four steps:

1. Make a backup copy of sendmail.cf
2. Add rules to the sendmail.cf file
3. Modify the rules
4. restart sendmail

Note: All these steps must be done as the root user.

[Make a backup copy sendmail.cf]

This is important! You don't want to mess up your sendmail config file and not have a backup copy.

Login: root
Password: *****

cd /etc/mail
cp sendmail.cf sendmail.cf.SAVE

[Add rules to sendmail.cf]

I have provided a basic rule that will filter email based on the subject line text of the email. Here is what that rule looks like:

## NEW VIRUS RULE

HSubject: $>Check_Subject
D{MPat}YOUR VIRUS SUBJECT HERE!
D{MMsg}Rejected! This message may contain the XYZ virus.

SCheck_Subject
R${MPat} $* $#error $: 553 ${MMsg}
RRe: ${MPat} $* $#error $: 553 ${MMsg}

## END VIRUS RULE

Note: Download the virusrule.txt file I have provided (uppper right of this page) tabs and spacing in the text file are very important!

To add this text to your sendmail.cf file, all you have to do is download it and append it to the file with the cat command. Place the downloaded virusrule.txt file in the /etc/mail directory.

cd /etc/mail
cat virusrule.txt >> sendmail.cf

The text will now be appended to the end of your sendmail.cf file, which is right where you want it to be.

[Modify the rule in sendmail.cf]

In this step you will need to modify the rules to match a particular subject line text that you would like to have sendmail block. In the case of our pain in the butt W32.Sobig.f@mm worm we could use Re: Wicked screensaver. Here's how...

Using your favorite editor (ee, vi etc) and edit the new sendmail.cf file line that reads:

D{MPat}YOUR VIRUS SUBJECT HERE!

Change it to:

D{MPat}Re: Wicked screensaver
You may also want to modify the message line that reads: D{MMsg}Rejected! This message may contain the XYZ virus You can have the message portion be anything you would like.

[Restart the sendmail server]

There are two ways to do this; restart your server or send a restart signal to sendmail.

To send a restart signal to sendmail you use the killall command with the SIG HUP modifier.

killall -HUP sendmail
Next, you will want to see that sendmail restarted successfuly and is lstening. You can use the ps command to do this. Type:

ps -ax|grep sendmail
You should see something like the following to indace a success:

111 ?? Ss 0:38.45 sendmail: accecpting connections (sendmail)

Thats all there is to it! To test you system, try sending it an email with the blocked subject line and remember it's case senstive. You will have to repeat this process for each possible subject that you might like to block. Its crude but effective.

NOTE: To learn more about commands used in this article, refer to the man pages:

man ps
man kill
man killall
man ee
man vi

< | >

Related Links

Articles on Sendmail
Also by Jason
Contact author

If you have ever wanted to learn about Cisco Routers, check out my new book "Cisco Routers for the Small Business" - it's Cisco CLI for the Regular Guy!

Sponsors

File Attachment

virusrule.txt
0KB (228 bytes)

The Fine Print: The following comments are owned by whoever posted them.
( Add a Reply )

Over 10 comments listed. Printing out index only.

Re: HOWTO: use sendmail to block messages
by Jaripekka on Sunday August 31, @04:35AM

Thanks for the rules to block the sobig virus messages. My concern is about the returned mail messages, don't they go to innocent people whose e-mail address has been used as a sender? Subject: Returned mail: see transcript for details From: Mail Delivery Subsystem Can we make a rule that silently ignores a message and does not cause any more e-mail traffic? Jaripekka

[ Add a Reply to this ]

Re: HOWTO: use sendmail to block messages
by Ernie De Guzman on Wednesday September 03, @02:02PM

Hi! I used this tip because we've been flooded by the Sobig virus. I had a problem though, after adding the virusrule.txt to the sendmail configuration file, it blocked all the emails and flagged them as infected with the sobig virus. Any thoughts on this will be appreciated. Thanks. Ernie.

[ Add a Reply to this ]

Re: HOWTO: use sendmail to block messages
by Ernie De Guzman on Wednesday September 03, @02:07PM

[ Add a Reply to this ]

Re: HOWTO: use sendmail to block messages by Shiva on Thursday September 04, @09:56AM
Sendmail.config.txt
1KB (1110 bytes)

Re: HOWTO: use sendmail to block messages by Drew on Tuesday September 09, @03:05PM

Re: HOWTO: use sendmail to block messages
by Tal Assa on Wednesday November 05, @06:36AM

Hi ! You'r artical is very practical and usful Q is it possible to make the viruse rule subject be more flexible in a term of genric string I have a virus with a stedy subject that begin with the same string all the time and the last key words are randomly changes all the time . It their a sofistacted way to tell the rule to handle genric key words and not a specific text file . any help will be appriciate 10x id advance

[ Add a Reply to this ]

Re: HOWTO: use sendmail to block messages
by Tal Assa on Wednesday November 05, @06:38AM

[ Add a Reply to this ]

Re: HOWTO: use sendmail to block messages
by Romeo Chatiar on Wednesday December 03, @04:27AM

can i add multiple lines of D{MPat}YOUR VIRUS SUBJECT HERE! for blocking all sorts of subjects eg : D{MPat}Re: Wicked screensaver D{MPat}Re: thank you D{MPat}Re: movie D{MPat}Re: your details

[ Add a Reply to this ]

Re: HOWTO: use sendmail to block messages
by Romeo Chatiar on Wednesday December 03, @04:27AM

can i add multiple lines of D{MPat}YOUR VIRUS SUBJECT HERE! for blocking all sorts of subjects eg : D{MPat}Re: Wicked screensaver D{MPat}Re: thank you D{MPat}Re: movie D{MPat}Re: your details

[ Add a Reply to this ]

How to Block attachments. by Russell Nazareth on Tuesday January 27, @12:42PM

Re: How to Block attachments. by dave hacker on Monday May 10, @07:11AM

Re: HOWTO: use sendmail to block messages
by San on Friday November 10, @10:36PM

Hi Really its very nice tips, Working fine, I need some more info from you.... 01. Your txt file will block, where subject contain, Resume, but i want to block, where subject contain, resume and another subject contain Test and etc... so how we want to add more than one subject..?? 02. Here we blocking subject, i need how to block the sender address... for eg: I am getting mails from 01. XXXXX@test.com 02. XYXYX@test1.com 03. ZZZZZ@test3.in In this case i want to block all the mails from"@test.com" , "@test1.com" , "@test3.com" How i want to modify the coding???? Plz help me for this Problem..... Thanks In Advance....

[ Add a Reply to this ]

The Fine Print: The following comments are owned by whoever posted them.
( Article Reply )

"You never know how many friends you have until you own a Condo on the beach." -- Jason's Postulate

[ main | post article | search ]