This is a template for infected script.  Actual scripts
will be produced by subst.sh and language files.

#! /bin/sh
#
# Autogenerated from $Id: template,v 1.12 2002/10/09 22:01:09 mjt Exp $
#
# This program is called by avcheck to handle infected mail.
# Customize to fit your needs.
#
# This script is able to send slightly different messages to
# local "virus administrator", to sender and/or to recipients
# if original infected message:
#  administrator will receive complete original message
#   as attachment, and complete list of recipients.
#  sender will also receive complete message and list of
#   recipients, together with little instructions/suggestions
#  recipients will receive only headers of original message,
#   without original recipients (privacy)
#
# See below for customization.
#
# Author: Michael Tokarev <mjt@corpit.ru>
# @STAMP@
# @ISTAMP@
# Public domain.

# Arguments:
#  1 - temporary filename with message
MAIL="$1"
#  2 - antivirus message if any (multiline, may be empty)
if [ -n "$2" ] ; then MSG="$2"; else MSG="Infected by a virus"; fi
#  3 - from (sender) address (mail from)
SENDER="$3"
#  4.. - recipients of a message
shift 3 # $@/$* are original recipients.  Always enclose in ""!

HOST=`hostname`

FROM=Antivirus-Daemon

VIRUS_ALERT=virus-alert # set to empty to skip administrator email
# The code below may be used to have several virus-alert addresses
# depending on recipient domain.
#VIRUS_ALERT=
#for r ; do
# case `echo ".$r" | sed -e 's/.*@//' -e 'y/[A-Z]/[a-z]/'`
#  domain1.example.com)
#    VIRUS_ALERT="$VIRUS_ALERT virus-alert@domain1.example.com ;;
#  domain2.example.com)
#    VIRUS_ALERT="$VIRUS_ALERT virus-alert@domain2.example.com ;;
#  domain3.example.com|domain4.example.com)
#    VIRUS_ALERT="$VIRUS_ALERT virus-alert@domain3.example.com ;;
#  *)
#    VIRUS_ALERT="$VIRUS_ALERT virus-alert@example.com ;;
# esac
#done
#case "$VIRUS_ALERT" in
# *\ *) VIRUS_ALERT=`echo $VIRUS_ALERT | tr ' ' '\n' | sort -u` ;;
#esac
#

#INFORM_SENDER=y # send alert to sender (complete orig. message)
INFORM_SENDER=h # send alert to sender (headers only)

INFORM_RCPT=n # send alert to recipients

BOUNCE=n # exit with EX_UNAVAILABLE to allow bounce by MTA
         # Set one of INFORM_SENDER or BOUNCE to y, or
         # sender will receive tow (non)delivery notifications

FAKERS="(klez|bugbear|tanatos)"
# list of viruses known to forge sender address
# (egrep pattern, use "|" to separate names)

# $SENDMAIL should be set by avcheck.  Set it here it it is empty
: ${SENDMAIL="/usr/sbin/sendmail -i"}
EX_TEMPFAIL=75
EX_UNAVAILABLE=69
EGREP="egrep -i"

trap "rm -f $MAIL; exit $EX_TEMPFAIL" 1 2 3 15 # in case of signal
trap "rm -f $MAIL" 0 # cleanup at exit

################ log to syslog
logger -p mail.warn -t "avcheck[$$]" "infected: from=$SENDER, to=$*, msg=$MSG"

# start_alert type [to]
start_alert() {
  boundary="avcheck-$1-$$-`date '+%Y%m%d%H%M%S'`@$HOST"
  if [ -n "$2" ] ; then echo "To: $2"; fi
  echo "From: $FROM
Subject: $1 Virus-alert (sender: $SENDER)
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
        boundary=\"$boundary\"

This is a multi-part message in MIME format.

--$boundary
Content-Type: text/plain; charset=@CHARSET@
Content-Description: Notification
"
}

attach_message() {
  echo "
--$boundary
Content-Type: message/rfc822
Content-Description: Infected message
Content-Disposition: attachment
"
  cat "$MAIL"
  echo "
--$boundary--"
}

attach_message_headers() {
  echo "
--$boundary
Content-Type: message/rfc822-headers
Content-Description: Infected message headers
Content-Disposition: inline
"
  sed '/^$/q' "$MAIL"
  echo "
--$boundary--"
}

################ send to administrator
if [ -n "$VIRUS_ALERT" ] ; then
(
  start_alert Administrator "$VIRUS_ALERT"
  @ADMIN_MSG@
  attach_message

) | $SENDMAIL -f "" $VIRUS_ALERT
if [ $? != 0 ] ; then
  echo "$0: unable to send administrator email" >&2
  exit $EX_TEMPFAIL
fi
fi # VIRUS_ALERT administrator mail


################ send alert to sender
if [ ".$INFORM_SENDER" = .y -o ".$INFORM_SENDER" = .h ] ; then
 # check if the message is from any list manager or from special address

 if echo "$SENDER" | $EGREP >/dev/null \
  '(^$|daemon|request|bounce|mailer|postm|owner|lists|words|majordom|experts|\-(return|error))'
 then
   : # do nothing for special sender addresses
 elif sed -e '/^$/q' "$MAIL" | $EGREP >/dev/null \
  '^((x-)?(loop|(mailing-)?list(name|member)|mailman)|precedence: (bulk|list|junk))'
 then
   : # do nothing when some special header present
 elif echo "$MSG" | $EGREP "$FAKERS" >/dev/null ; then
   : # do nothing for klez-like virus: sender is forged anyway
 else
   # really send sender virus alert
(
  start_alert Sender "$SENDER"
  @SENDER_MSG@
  echo "
--$boundary
Content-Description: Delivery error report
Content-Type: message/delivery-status

Reporting-MTA: dns; $HOST"

  for i do
    echo "
Final-Recipient: rfc822; $i
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Avcheck; service unavailable. $MSG"
  done

  if [ $INFORM_SENDER = y ] ; then attach_message
  else attach_message_headers
  fi
)  | $SENDMAIL -f "" -- "$SENDER"
if [ $? != 0 ] ; then
  # Only warn if it is not possible to send sender alert:
  # from address may be modified by a virus.  This is like a bounce:
  # if we can't send it, it should be dropped.  It will be good to be
  # able to capture $SENDMAIL's output and log it as well.
  logger -p mail.warn -t "avcheck[$$]" \
    "unable to send sender ($SENDER) notification"
  #echo "$0: unable to send sender email" >&2
  #exit $EX_TEMPFAIL
fi

fi
fi # INFORM_SENDER

################ send alert to recipients
if [ ".$INFORM_RCPT" = .y ] ; then
(
  if [ $# = 1 ] ; then
    start_alert Recipient "$1"
  else
    start_alert Recipient
  fi
  @RCPT_MSG@
  attach_message_headers

) | $SENDMAIL -f "" -- "$@"
if [ $? != 0 ] ; then
  # The same as with sender: do not bail if it isn't possible to send
  # recipient notification.
  logger -p mail.warn -t "avcheck[$$]" "unable to send recipient notification"
  #echo "$0: unable to send recipient email" >&2
  #exit $EX_TEMPFAIL
fi
fi # INFORM_RCPT

if [ ".$BOUNCE" = .y ] ; then
# bounce message back using standard MTA bounce feature
echo "Message didn't pass the virus check: $MSG" >&2; exit $EX_UNAVAILABLE
fi

# normal exit, do not bounce it back: in case of content_filter,
# mail will be discarded.
exit 0
