[메일] procmail 을 이용한 메일 필터 – 스팸
요즘 Sobig.F 웜 등 웜바이러스 때문에 서버관리자들이 고생 좀 하셨을껍니다.
KLTP에 보면 요즘 필터링하는 방법도 많이 올라오고요…
그래서, 요즘 많이 도는 몇가지 웜으로 인한 메일을 procmail을 이용해 필터링 하는
방법을 소개하겠습니다.
제 테스트서버에 사용하는거니깐 이대로 사용하셔도 되고, 자신에 맞게 바꿔서 사용하시길 바랍니
다.
# vi /etc/procmailrc
PATH=/usr/local/bin:/usr/bin:/bin
#LOGFILE=/var/log/procmail
VERBOSE=no
SHELL=/bin/sh
######################################################################################
###### Spam Mail filtering
#
#인코드되어 날아오는 헤더를 디코드 하는 부분.
:0 Efhw
*^(Subject|From|Cc):.*=\\?EUC-KR\\?(B|Q)\\?
|formail -c | hdcode -n
:0 Efhw
*^(Subject|From|Cc):.*=\\?ks_c_5601-1987\\?(B|Q)\\?
|formail -c | hdcode -n
:0
* ^Subject: .*(광고|광\\ 고|홍보|광-고|목록입니다|리스트입니다|성인정보|과ㅇ고|광\\.고|廣-告|광ㄱ고|광\\/고|광1고|廣>告|대출|대납)
/dev/null
:0
* ^Subject: .*\\[광.*고\\]
/dev/null
:0
* ^Subject: .*\\(광.*고\\)
/dev/null
:0
* ^Subject: .*\\[廣.*告\\]
/dev/null
:0
* ^Subject: .*\\(廣.*告\\)
/dev/null
:0
* ^Subject: .*\\[홍.*보\\]
/dev/null
:0
* ^Subject: .*\\(홍.*보\\)
/dev/null
:0
* ^Subject: .*\\[성.*인\\]
/dev/null
:0
* ^Subject: .*\\(성.*인\\)
/dev/null
:0
* ^Subject: .*\\[정.*보\\]
/dev/null
:0
* ^Subject: .*\\(정.*보\\)
/dev/null
######################################################################################
##### Virus Mail filtering
# filter mimail.Worm
:0
* ^Subject: .*your account
/dev/null
# filter out Klez. rule adapted from:
:0 :
* ^Content-Type: multipart/alternative;.*boundary=[A-Za-z0-9][A-Za-z0-9][A-Za-z0-9][A-Za-z0-
9][A-Za-z0-9][A-Za-z0-9][A-Za-z0-9][A-Za-z0-9][A-Za-z0-9][A-Za-z0-9]
* B ?? ^Content-Type: (audio/x-|application).*;.*$.*name=.*\\.(scr|com|bat|pif|lnk|exe)$
virus.klez
# filter sobig-[A-E] (and palyh)
:0 D
* ^Content-Type: multipart/mixed;[ ]*\\
boundary=”CSmtpMsgPart123X456_000_[0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-
F][0-9A-F]”
* ^Received: from [A-Z0-9_-]+ \\(
* ^From: <
{
:0 :
* ^From: <(big@boss\\.com|support@microsoft\\.com)>
/dev/null
:0 B:
* ^All information is in the attached file\\.|\\
^Please see the attached (zip )?file( for details)?\\.|\\
^Content-Type:.*$\\
[ ]+name=”[^”]+\\.(com|bat|pif|lnk|exe|scr|zip)”$\\
.*$\\
Content-Disposition: attachment;$\\
[ ]+filename=”[^”]+\\.(co|ba|pi|ln|ex|sc|zi)”
/dev/null
}
# filter sobig-F, including its bounces
:0 HB:
* ^X-Mailer: Microsoft Outlook Express 6\\.00\\.2600\\.0000
* ^X-MailScanner: Found to be clean
* _NextPart_000_[0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F]
* !^X-MimeOLE
/dev/null
# Filter the YAHA virus (also snagged from the xs4all.general newsgroup)
:0
* ^Content-Type: multipart/mixed
* B ?? ^Content-Type:
(audio/x-|application).*;.*$.*name=.*\\.(scr|com|bat|pif|lnk|exe)$
{
:0
/dev/null
}