The following procmail script is based on the script originally found at linuxbandwagon.com called “Fighting spam with procmailrc”.
For a server wide implimentation the script should be placed in the file
/etc/procmailrc . Remember to clear the /tmp/virus.sav file regularly on high traffic servers to avoid cluttering up the /tmp folder
If you are happy that the script wont stop legitimate traffic you can trash the virus by changing /tmp/virus.sav to /dev/null
How does it work.
The script is fairly simple in operation. It just searches each email for the string “name=” followed by the attachment name. If this string is found the email is redirected to the tmp folder. I actually redirect to a virus file in my mail folder and use usermin to view the subjects to check for false hits. The list of attachment names comes from description of the worm that were posted online after initial analysis from anti-virus companies. There may be other attachment names that I haven’t covered. The script however has being effective in catching the worm so far.
Because this page is becoming fairly popular I’ve added an easy to cut and paste version below – just highlight the text below then copy into your own procmail file
---procmailrc---
VERBOSE=off
LOGFILE=/var/log/virus.log
SUBJECT=`formail -xSubject:`
ARRIVED=`formail -xDate:`
TOEMAIL=`formail -xTo:`
SENDMAIL=/usr/sbin/sendmail
## Check if already scanned
:0 H
* !^X-Loop: Attachment scanner
{
:0 f ## Add header
|formail -A"X-Loop: Attachment scanner"
# Look for Worm Attachment in body
:0 B
* name=.*(document|readme|doc|text|file|data|test|message|body)\.(vbs|wsf|vbe|wsh|hta|scr|pif|exe|shs|bat|bas|scr|cmd|zip)
{
:0
/tmp/virus.sav
}
}