I have been using a procmail rule for clamav that started like this:
:0
* multipart
Is there a reason to filter all mail through clamav rather than just
mail with attachments?
I think there might've been times in the past where Outlook(tm) mis
handled invalid MIME, and would find attachments that escaped many
of the popular virus scanners. As the scanners got smarter they'd find
the virus even if the client hadn't been fixed yet. Therefore, you might
want to leave the heuristics up to the virus scanner itself, unless their
documentation recommend certain pre-checks that you're allowed to make.
Alos, I'd like it if the virus scanners classified postmaster bounce
messages containing the encoded virus often with an attachment which
contains the original message. That would still hit your multipart
check however, so your method would cover this case.
Also:
:0 wic
VIRUS=|/usr/bin/clamscan --mbox --disable-summary --stdout -
Why the c here? What purpose does making a copy serve?
I don't know really. It is just an idion I picked up from reading the
list. The manpage seems to imply that in the case of VAR=|... as the
action that this would be unnecessary. I don't know if in fact internally
it does the same thing as 'c' to achieve this. I just like to emphasize
that a copy is being fed to the pipe. Perhaps the experts can comment
here. Certainly, the 'w' is required per the earlier thread.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail