Section 11.6 Using Sendmail to Block E-Mail Attacks

11.6 Using Sendmail to Block E-Mail Attacks

The example here, created by www.sendmail.org the day the ILOVEYOU worm struck, will cause sendmail to reject e-mail that is likely to contain the ILOVEYOU worm. This worm also is discussed in "Desktop Policy" on page 344 and "The Snort Attack Detector" on page 598. Note that this example is very specific and will not detect even the mutations of the worm which had different subjects that were seen within two days of the worm surfacing.

This example should work when placed either in the sendmail.mc file or directly into the sendmail.cf file. If the former is used, the m4 macro processor then will need to be invoked to process sendmail.mc into sendmail.cf. Note that the <tab> represents the tab character and that there must be a single tab character here or this code will not work.

 HSubject:<tab>$>Check_Subject D{MPat}ILOVEYOU D{MMsg}This message may contain the LoveLetter virus. SCheck_Subject R${MPat} $*<tab>$#error $: 501 ${MMsg} RRe: ${MPat} $*<tab>$#error $: 501 ${MMsg} 

This code is simpler than it looks. If the Subject: header is seen, call the Check_Subject rule. This checks to see whether the subject is either ILOVEYOU or Re: ILOVEYOU. The latter detects replies to the e-mail containing the worm. Clearly, this technique can be used for similar worms and viruses that pass through the organization's sendmail-based mail server, even though the attacks do not bother Linux end users. Detecting this work is discussed in "The Snort Attack Detector" on page 598.