One way is to define a custom macro rule for the virus; for instance with the melissa virus you could write a macro that would check each message with the common text
embedded in the message.
HSubject: $>Chek_it
D{MPAT} "Suspected text"(or an F line for zip
files or some other attachment )
D{MMsg}This is probably a virus
The first line forwards all new messages to a rule called Chek_it. The other two line create a return and virus message for
the ruleset and sending to users.
The rule set starts with an Sline..
SChek_it
(rules are Rlines.)
R${MPAT} $* $#error: 553 ${MMsg}
This nonsense just says if the MPAT matches
with any number of consecutive lines then the
default action is to get rid of it and send the previously defined error message to the
intended victim. You could also write a
return rule here., which would be really useless since the poor sod who sent it has enough trouble already.
Now all you have to do is either find some
patterns(attachment files, subject lines, etc..) in this new virus to write a ruleset around or go out to one of the sendmail
groups or security sites and get a patch ruleset to add to your sendmail.cf.
This stops it before it gets to the mailbox.
If the mail is in place then searching through the mail with something like grep, or
mailgrep my work, or may be a really bad idea
depending on the virus.
