On Thu, Feb 12, 2004 at 07:55:57PM +0000, Adrian Simmons wrote:
FWIW here's what I now have after following this thread, it almost
works ok:
# filter any mail over 3000 through clamav
:0
* > 3000
{
VIRUS = `/sw/bin/clamscan --mbox --disable-summary --infected --stdout -`
:0
* VIRUS ?? FOUND
{
# Extract some headers into variables for logging
:0
* ^Subject:\/.*
{ SUB = $MATCH }
:0
* ^From:\/.*
{ FRO = $MATCH }
:0
* VIRUS ?? : \/.* FOUND\>
* MATCH ?? ^^\/.*F
* MATCH ?? ^^\/.*[^ ]
{ VIR = $MATCH }
LOG="$DATE $LOGUSER DELETED $VIR $SUB $FRO ${NL}"
# send message to a null host
:0
{ HOST = kill.virii.dead }
}
}
I was using multipart as the initial filter, but decided doing it on
size might be better - but that figure was plucked out of nothing,
question is, just how small can a virus be?
What made you decide it might be better? I would use something similar
to what's in my Virus Snaggers recipe. Maybe something like:
:0 wb
* 9876543210^0 ^Content-Type:.*(attachment|multipart)
* 9876543210^0 ^Content-.*[.]
SC_OUT=| clamscan --disable-summary --infected --stdout -
:0 e # we're here if pos exit code; usu. means virus found
{
MYEXIT = $?
:0: # positive exit codes other than 1 are problems
* -1^0
* $ $MYEXIT^0
PROBLEM
:0 hi
* SC_OUT ?? : \/.* FOUND\>
* MATCH ?? ^^\/.*F
* MATCH ?? ^^\/.*[^F]
* MATCH ?? ^^\/.*[^ ]
{
LOG = "$NL Virus found: $MATCH $NL"
HOST = sayonara
}
}
Again, I can't test this fully, because clamscan is not fully
functional on this system. Note that I left a line out of my
match-token recursion, which is why you were left with an F
on the end. Fixed above.
You don't need a separate recipe to set HOST. Just set it
inside your braces.
You might want to move your extractions of From: and Subject:
up above, for the general case, rather than reserving them
specifically for viruses. Also, if you don't want to /dev/null
the viruses, you could do this instead at the end:
:0 fw
* SC_OUT ?? : \/.* FOUND\>
* MATCH ?? ^^\/.*F
* MATCH ?? ^^\/.*[^F]
* MATCH ?? ^^\/.*[^ ]
| formail -I "X-Clamscan: $MATCH"
:0:
MYVIRUS
--
dman
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail