Hi,
I have a question about virus scanning at smtp time. Sadly I still find
Exim4 acl stuff a bit of a black art :(
Sometimes a virus that clamav *does* already know about gets through.
I notice from my Exim logs that this is often accompanied by this sort
of message:
2004-08-03 09:27:31 1BrmgJ-0006og-NA demime acl condition: base64 line length exceeds 76 characters
2004-08-03 09:27:31 1BrmgJ-0006og-NA demime acl condition: base64 line contains illegal character
2004-08-03 09:27:31 1BrmgJ-0006og-NA demime acl condition: base64 line length is not a multiple of 4 characters
I'm figuring that this virus (in this case Worm.MyDoom.M) has
deliberately broken it's mime encoding and Exim has been unable to
extract the file to pass to ClamAV. Does this sound right?
Has anyone seen this sort of thing? Is there anything I can do about it?
I poked around a bit in google and found this site:
http://www.webhostgear.com/149.html
It offers these lines, which might help in
/etc/exim4/conf.d/acl/40_exim4-config_check_data:
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
If I understand this correctly, then it will deny any message with
broken mime encoding.
1. Will this help in my above situation?
2. Is this likely to mean that some legitimate email from say a well
known mail client will be rejected? (This is a business mail server,
so I need to be sure we aren't rejecting legit mail)
If this is indeed useful, maybe Paul could add it to hs "Rejecting Email
Viruses the Right Way" page? Also you could add the rejecting of all
messages containing dodgy windows execuatable extension too IMO.
I'm running woody with backports of Exim4, ClamAV
cheers
dc
--
David Purton
dcpurton@chariot.net.au
For the eyes of the LORD range throughout the earth to
strengthen those whose hearts are fully committed to him.
2 Chronicles 16:9a
Attachment:
signature.asc
Description: Digital signature