Re: Exim4 + ClamAV + Some Virii get through
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David Purton <dcpurton@chariot.net.au> writes:
> I have a question about virus scanning at smtp time. Sadly I still
> find Exim4 acl stuff a bit of a black art :(
>
> Sometimes a virus that clamav *does* already know about gets through.
That's usually a new virus.
> I'm figuring that this virus (in this case Worm.MyDoom.M) has
> deliberately broken it's mime encoding and Exim has been unable to
> extract the file to pass to ClamAV. Does this sound right?
ClamAV might not know about it, yet. See ClamAV's website to find out
how you can add the signature.
> deny message = This message contains malformed MIME ($demime_reason)
> demime = *
> condition = ${if >{$demime_errorlevel}{2}{1}{0}}
>
>
> If I understand this correctly, then it will deny any message with
> broken mime encoding.
>
> 1. Will this help in my above situation?
Possibly. Try it and see? Let us know what it does for you.
> 2. Is this likely to mean that some legitimate email from say a well
> known mail client will be rejected? (This is a business mail server,
> so I need to be sure we aren't rejecting legit mail)
Well, if anybody, anywhere is running a Microsoft MUA, then this is
always a possibility whenever you try to enforce the RFCs.
> If this is indeed useful, maybe Paul could add it to hs "Rejecting
> Email Viruses the Right Way" page?
Sure.
> Also you could add the rejecting of all messages containing dodgy
> windows execuatable extension too IMO.
I prefer to actually find out if something really is hostile before I
judge it. Err on the side of accepting it anyway if you need to make a
judgement call, or you're bound to miss legitimate mail along the line.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD4DBQFBD+GnUzgNqloQMwcRAvsVAJdo7T4LNVGdDC6QvMDmhyzY05xuAJ9YeRH5
ba5vxY2tsEeLbwD5j9b6dQ==
=fuNk
-----END PGP SIGNATURE-----
Reply to: