procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [pro] Re: Real Virus Scanner

2004-02-13 07:28:58
from [Dallman Ross] [Permanent Link] 
On Thu, Feb 12, 2004 at 07:55:57PM +0000, Adrian Simmons wrote:


FWIW here's what I now have after following this thread, it almost
works ok:

# filter any mail over 3000 through clamav
:0
* > 3000
{
 VIRUS = `/sw/bin/clamscan --mbox --disable-summary --infected --stdout -`

 :0
 * VIRUS ?? FOUND
 {
  # Extract some headers into variables for logging
  :0
  * ^Subject:\/.*
  { SUB = $MATCH }

  :0
  * ^From:\/.*
  { FRO = $MATCH }

  :0
  * VIRUS ?? : \/.* FOUND\>
  * MATCH ?? ^^\/.*F
  * MATCH ?? ^^\/.*[^ ]
  { VIR = $MATCH }

  LOG="$DATE $LOGUSER DELETED $VIR $SUB $FRO ${NL}"

  # send message to a null host
  :0
  { HOST = kill.virii.dead }
 }
}


I was using multipart as the initial filter, but decided doing it on 
size might be better - but that figure was plucked out of nothing, 
question is, just how small can a virus be?


What made you decide it might be better?  I would use something similar
to what's in my Virus Snaggers recipe.  Maybe something like:

   :0 wb
   * 9876543210^0  ^Content-Type:.*(attachment|multipart)
   * 9876543210^0  ^Content-.*[.]
   SC_OUT=| clamscan --disable-summary --infected --stdout -

   :0 e  # we're here if pos exit code; usu. means virus found
   {
        MYEXIT = $?

        :0:  # positive exit codes other than 1 are problems
        *         -1^0
        * $  $MYEXIT^0
        PROBLEM

        :0 hi
        * SC_OUT ?? : \/.* FOUND\>
        * MATCH ?? ^^\/.*F
        * MATCH ?? ^^\/.*[^F]
        * MATCH ?? ^^\/.*[^ ]
        {
             LOG = "$NL Virus found: $MATCH $NL"
             HOST = sayonara
        }
   }

Again, I can't test this fully, because clamscan is not fully
functional on this system.  Note that I left a line out of my
match-token recursion, which is why you were left with an F
on the end.  Fixed above.

You don't need a separate recipe to set HOST.  Just set it
inside your braces. 

You might want to move your extractions of From: and Subject:
up above, for the general case, rather than reserving them
specifically for viruses.  Also, if you don't want to /dev/null
the viruses, you could do this instead at the end:


        :0 fw
        * SC_OUT ?? : \/.* FOUND\>
        * MATCH ?? ^^\/.*F
        * MATCH ?? ^^\/.*[^F]
        * MATCH ?? ^^\/.*[^ ]
        | formail -I "X-Clamscan: $MATCH"

        :0:
        MYVIRUS

-- 
dman

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Searchable arhive broken? (was Re: Real Virus Scanner), Dallman Ross
Next by Date:  Multiline Received header not being matched, David Stone
Previous by Thread:  Re: [pro] Re: Real Virus Scanner, Adrian Simmons
Next by Thread:  Re: [pro] Re: Real Virus Scanner, Kai Weber
Indexes:  [Date] [Thread] [Top] [All Lists]