#! /bin/sh # $Id: infected.ex1,v 1.2 2001/10/26 21:20:44 mjt Exp $ # This program is called by avcheck to handle infected mail. # Customize to fit your needs. # # Author: Michael Tokarev # Public domain. # Arguments: # 1 - temporary filename with message MAIL="$1" # 2 - antivirus message if any (multiline, may be empty) if [ -n "$2" ] ; then MSG="$2"; else MSG="Infected by a virus"; fi # 3 - from (sender) address (mail from) SENDER="$3" # 4.. - recipients of a message shift 3 # $@/$* are original recipients. Always enclose in ""! HOST=`/bin/hostname` # $SENDMAIL should be set by avcheck. Set it here it it is empty : ${SENDMAIL="/usr/sbin/sendmail -i"} EX_TEMPFAIL=75 EX_UNAVAILABLE=69 trap "rm -f $MAIL; exit $EX_TEMPFAIL" 1 2 3 15 trap "rm -f $MAIL" 0 # cleanup at exit # common routine # sendrep key "orig_recipients" recipients sendrep() { if [ "$1" = 'h' ] ; then h=" headers"; h_="-headers" else h=; h_=; fi if [ -n "$2" ] ; then rcpt=" sent to $2" else rcpt="" ; fi shift 2 ( # construct virus-alert message boundary="antivirus-boundary-$$-`/bin/date '+%Y-%m-%d-%H-%M-%S'`@$HOST" echo \ "From: antivirus-daemon Subject: Virus-alert (sender: $SENDER) MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary=\"$boundary\" This is a multi-part message in MIME format. --$boundary Content-Type: text/plain; charset=us-ascii Content-Description: Notification Hello! This is a mail anti-virus program at host $HOST. The mail system received a message from $SENDER$rcpt that contains either infected or suspicious file(s) and it has not reached the above recipients. Original message$h given below. Antivirus message(s): $MSG --$boundary Content-Type: message/rfc822$h_ Content-Description: Infected message$h " if [ -n "$h" ] ; then /bin/sed '/^$/q' $MAIL else /bin/cat $MAIL fi echo " --$boundary--" ) \ | $SENDMAIL -f "" -- "$@" if [ $? != 0 ] ; then echo "$0: unable to send mail" >&1 exit $EX_TEMPFAIL fi } ################################################### ## please customize the following section of your taste. ## You will usually want to uncomment one of the following ## `sendrep' lines to do appropriate actions. By default, ## line logged to syslog and alert sent to admin ## (please use real address!). ## Another idea is not delete message file, but ## refer to it (move to another place!) in virus-alert ## mail, saying to ask "virusmaster" about it, or even ## use URL in virus-alert mail to fetch it using WWW. # log to syslog LC_DATE=C /usr/bin/logger -p mail.warn -t avcheck \ "infected: from=$SENDER to=$* msg=$MSG" # Note the use of $@ vs $*! # Second arg for sendrep should be "$*", while rest must be "$@"! # send complete message to admin, show rcpts sendrep f "$*" "virus-admin" # send headers to admin, show recipients #sendrep h "$*" "virus-admin" # send headers to all original rcpts, do not show them in message # (to be private) #sendrep h "" "$@" # send alert (complete message aka bounce) back to sender, omit rcpts #sendrep f "" "$SENDER" # send complete message to sender and admin #sendrep f "$*" "$SENDER" "virus-admin" # send headers to admin, sender and all recipients, showing all rcpts # (breaks privacy somewhat) #sendrep h "$*" "virus-admin" "$SENDER" "$@" # bounce message back using standard MTA bounce feature echo "Message didn't pass the virus check: $MSG" >&2; exit $EX_UNAVAILABLE # normal exit, do not bounce it back: in case of content_filter, # mail will be discarded. exit 0