Gary Funck wrote:
we are missing the X-Virus-Status: header
that says what kind of virus was found
FWIW here's what I now have after following this thread, it almost works ok:
# filter any mail over 3000 through clamav
:0
* > 3000
{
VIRUS = `/sw/bin/clamscan --mbox --disable-summary --infected --stdout -`
:0
* VIRUS ?? FOUND
{
# Extract some headers into variables for logging
:0
* ^Subject:\/.*
{ SUB = $MATCH }
:0
* ^From:\/.*
{ FRO = $MATCH }
:0
* VIRUS ?? : \/.* FOUND\>
* MATCH ?? ^^\/.*F
* MATCH ?? ^^\/.*[^ ]
{ VIR = $MATCH }
LOG="$DATE $LOGUSER DELETED $VIR $SUB $FRO ${NL}"
# send message to a null host
:0
{ HOST = kill.virii.dead }
}
}
I was using multipart as the initial filter, but decided doing it on
size might be better - but that figure was plucked out of nothing,
question is, just how small can a virus be?
My one virus test just gave the log:
12/02/2004 19:33:34 adrinux DELETED Worm.SCO.A F Delivery Status
Notification (Failure) postmaster(_at_)roemer-insurance(_dot_)com
So those rules seemed to also match the F of found as well as the virus
name. FYI clamscan outputs like this when run on the command line with
--disable-summary:
message.zip: Worm.SCO.A FOUND
Will read man procmailrc and figure out why its too greedy - if someone
doesn't tell me before I've eaten dinner :)
Adrian
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail