[메일] procmail 을 이용한 메일 필터 – 스팸

요즘 Sobig.F 웜 등 웜바이러스 때문에 서버관리자들이 고생 좀 하셨을껍니다.

KLTP에 보면 요즘 필터링하는 방법도 많이 올라오고요…

그래서, 요즘 많이 도는 몇가지 웜으로 인한 메일을 procmail을 이용해 필터링 하는

방법을 소개하겠습니다.

제 테스트서버에 사용하는거니깐 이대로 사용하셔도 되고, 자신에 맞게 바꿔서 사용하시길 바랍니

다.

# vi /etc/procmailrc

PATH=/usr/local/bin:/usr/bin:/bin

#LOGFILE=/var/log/procmail

VERBOSE=no

SHELL=/bin/sh

######################################################################################

###### Spam Mail filtering

#

#인코드되어 날아오는 헤더를 디코드 하는 부분.

:0 Efhw

*^(Subject|From|Cc):.*=\\?EUC-KR\\?(B|Q)\\?

|formail -c | hdcode -n

:0 Efhw

*^(Subject|From|Cc):.*=\\?ks_c_5601-1987\\?(B|Q)\\?

|formail -c | hdcode -n

:0

* ^Subject: .*(광고|광\\ 고|홍보|광-고|목록입니다|리스트입니다|성인정보|과ㅇ고|광\\.고|廣-告|광ㄱ고|광\\/고|광1고|廣>告|대출|대납)

/dev/null

:0

* ^Subject: .*\\[광.*고\\]

/dev/null

:0

* ^Subject: .*\\(광.*고\\)

/dev/null

:0

* ^Subject: .*\\[廣.*告\\]

/dev/null

:0

* ^Subject: .*\\(廣.*告\\)

/dev/null

:0

* ^Subject: .*\\[홍.*보\\]

/dev/null

:0

* ^Subject: .*\\(홍.*보\\)

/dev/null

:0

* ^Subject: .*\\[성.*인\\]

/dev/null

:0

* ^Subject: .*\\(성.*인\\)

/dev/null

:0

* ^Subject: .*\\[정.*보\\]

/dev/null

:0

* ^Subject: .*\\(정.*보\\)

/dev/null

######################################################################################

##### Virus Mail filtering

# filter mimail.Worm

:0

* ^Subject: .*your account

/dev/null

# filter out Klez. rule adapted from:

:0 :

* ^Content-Type: multipart/alternative;.*boundary=[A-Za-z0-9][A-Za-z0-9][A-Za-z0-9][A-Za-z0-

9][A-Za-z0-9][A-Za-z0-9][A-Za-z0-9][A-Za-z0-9][A-Za-z0-9][A-Za-z0-9]

* B ?? ^Content-Type: (audio/x-|application).*;.*$.*name=.*\\.(scr|com|bat|pif|lnk|exe)$

virus.klez

# filter sobig-[A-E] (and palyh)

:0 D

* ^Content-Type: multipart/mixed;[      ]*\\

   boundary=”CSmtpMsgPart123X456_000_[0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-

F][0-9A-F]”

* ^Received: from [A-Z0-9_-]+ \\(

* ^From: <

{

    :0 :

    * ^From: <(big@boss\\.com|support@microsoft\\.com)>

    /dev/null

    :0 B:

    * ^All information is in the attached file\\.|\\

      ^Please see the attached (zip )?file( for details)?\\.|\\

      ^Content-Type:.*$\\

       [        ]+name=”[^”]+\\.(com|bat|pif|lnk|exe|scr|zip)”$\\

       .*$\\

       Content-Disposition: attachment;$\\

       [        ]+filename=”[^”]+\\.(co|ba|pi|ln|ex|sc|zi)”

    /dev/null

}

# filter sobig-F, including its bounces

:0 HB:

* ^X-Mailer: Microsoft Outlook Express 6\\.00\\.2600\\.0000

* ^X-MailScanner: Found to be clean

* _NextPart_000_[0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F]

* !^X-MimeOLE

/dev/null

# Filter the YAHA virus (also snagged from the xs4all.general newsgroup)

:0

* ^Content-Type: multipart/mixed

* B ?? ^Content-Type:

(audio/x-|application).*;.*$.*name=.*\\.(scr|com|bat|pif|lnk|exe)$

{

        :0

        /dev/null

}