Re: Virus emails

To: debian-devel@lists.debian.org
Subject: Re: Virus emails
From: Josip Rodin <joy@srce.hr>
Date: Tue, 23 Sep 2003 16:45:55 +0200
Message-id: <[🔎] 20030923144555.GC7874@prvidomaci.srce.hr>
In-reply-to: <[🔎] 20030923123902.GA22038@crystal>
References: <[🔎] 87znh0yesj.fsf@volatile.central.fluidsignal.com> <[🔎] 20030919154146.GB2390@heim-d.uni-sb.de> <[🔎] 200309191814.46619.mh@glandium.org> <[🔎] pan.2003.09.22.14.53.14.808010@smurf.noris.de> <[🔎] 20030922233458.GA13678@crystal> <[🔎] 20030922191856.3e121295.grey@dmiyu.org> <[🔎] 20030923024450.GA15809@crystal> <[🔎] 20030922204615.693444b3.grey@dmiyu.org> <[🔎] 20030923123902.GA22038@crystal>

On Tue, Sep 23, 2003 at 08:39:02AM -0400, H. S. Teoh wrote:
> > > What are the exim rules you used to catch these things?
> > 
> >     exiscan-acl calling clamav and dropping it with a 550.  A full log
> > line would be:
> > 
> > 2003-09-22 07:38:05 1A1RpB-0007Xd-Of H=(smtp21.singnet.com.sg)
> > [165.21.101.201] F=<josen@mbox3.singnet.com.sg> rejected after DATA: This
> > message contains a viru s or other malware (Worm.Gibe.F).
> 
> I see. Thanks for the info, I'll look it up.

exim4-daemon-heavy includes the Exiscan patch that allows one to scan for
malformed MIME, viruses and spam during the SMTP dialogue.

Install clamav-daemon and in the general settings block add:

av_scanner = clamd:/var/run/clamd.ctl

And in the ACL block after DATA, you put something like:

  deny message = Message contains malware ($malware_name)
       demime = *
       malware = *

Works wonders.

There are also similar low-level interfaces to SpamAssassin: one is via a
sa-exim.so that is loaded via the local_scan() interface,

local_scan_path = .../somewhere/sa-exim-3.0.so

And another one is via an exiscan ACL setting for it (also in the DATA ACL),

  deny message = Classified as spam (score $spam_score)
       condition = ${if <{$message_size}{80k}{1}{0}}
       condition = ${if <{$spam_score_int}{120}{1}{0}}
       spam = nobody

(that 120 is 12.0 in SA terms)

For now I'm using the SA-Exim method because even though it's clumsy (needs
the .so file compiled from source so distribution isn't as trivial as an
apt-get invocation), I used it before the Exiscan patch was available and it
was reliable. (I'd welcome suggestions from other users about this issue.)

> > > If you want to automate this more, you could write a spamassassin rule
> > > that matches Swen mails, then use procmail to filter it (match against the
> > > rule name in X-Spam-Status) through a script that grabs the IP address and
> > > enters it into the firewall.
> > 
> >     Except it never hits SA nor do I even have procmail installed.  Can't
> > stand the ugly beast.
> 
> It never hits SA?

Because his antivirus ACL kills it before that.

-- 
     2. That which causes joy or happiness.

Reply to:

Follow-Ups:
- Re: Virus emails
  - From: Steve Lamb <grey@dmiyu.org>

References:
- Virus emails
  - From: Andrés Roldán <aroldan@fluidsignal.com>
- Re: Virus emails
  - From: Christoph Berg <cb@df7cb.de>
- Re: Virus emails
  - From: Mike Hommey <mh@glandium.org>
- Re: Virus emails
  - From: Matthias Urlichs <smurf@smurf.noris.de>
- Re: Virus emails
  - From: "H. S. Teoh" <hsteoh@quickfur.ath.cx>
- Re: Virus emails
  - From: Steve Lamb <grey@dmiyu.org>
- Re: Virus emails
  - From: "H. S. Teoh" <hsteoh@quickfur.ath.cx>
- Re: Virus emails
  - From: Steve Lamb <grey@dmiyu.org>
- Re: Virus emails
  - From: "H. S. Teoh" <hsteoh@quickfur.ath.cx>

Prev by Date: Re: Virus emails
Next by Date: Re: Virus emails
Previous by thread: Re: Virus emails
Next by thread: Re: Virus emails
Index(es):
- Date
- Thread