Mailing List Archive

clamav-milter (logging, notify to postmaster, reject message)
Hello.

I think produce to discussion some patch.
It's contain

*1*. modified reply message for sendmail:

2004-04-01 02:10:24 sendmail[11026]: i2VLANKk011026: to=<xxxxxxxxxxxxx>, delay=00:00:01, pri=3
0539, stat=Exploit.HTML.Bagle.Gen-3-eml virus detected by ClamAV - http://www.clamav.net

Initial code from Bryan Swanson, rewrited by Andrey J. Melnikoff

reason: It message may be to see in DSN:
=======
----- The following addresses had permanent fatal errors -----
<xxxxxxxxxxxxx>
(reason: 550 5.7.1 Worm.BugBear.B virus detected by ClamAV - http://www.clamav.net)

----- Transcript of session follows -----
... while talking to xxxxxxxxxxxxxx:
>>> DATA
<<< 550 5.7.1 Worm.BugBear.B virus detected by ClamAV - http://www.clamav.net
554 5.0.0 Service unavailable
=========

*2*. two modifications for E-Mail notification
a) rfc-compatible received from local server:

Received: from qwerty (qqq.eee.com [xx.xx.xx.xx])
by srv7.kraft-s.ru (clamav-milter 0.70c) with id i2VKJ6Tb015441;
Thu, 01 Apr 2004 01:19:10 +0500 (SAMST)
Received:
From: admin@americaii.com
To: <fh40sjlbf@americaii.com>
Date: Wed, 31 Mar 2004 15:15:51 -0500
Subject: Delivery Failure: Re: Extended Mail
X-Mailer: SurfControl E-mail Filter

b) X-Infected-Received-From in header :

X-Infected-Received-From: qqq.eee.com [xx.xx.xx.xx]

first is a standart form of important data, second is very usable for
sorting (for example by Sieve)

*3*. improved (I think :-) ) logging with sendmail's Message Id in
each line. It's usable for greping all data about message in maillog.


The patch written for last CVS snapshot where compilation of clamav-milter
is possible.

Patch:
http://hippo.ru/~asy/clamav/clamav-log-and-notify.patch

snapshot (just in case):
http://hippo.ru/~asy/clamav/clamav-20040328.tar.gz

--
Regards,
Sergey

PS: sorry for my english :-(
Re: clamav-milter (logging, notify to postmaster, reject message) [ In reply to ]
On Wednesday 31 March 2004 10:33 pm, Sergey wrote:

> Hello.
>
> I think produce to discussion some patch.

All your suggestions assume that ClamAV is running in combination with
sendmail (and, perhaps, combined in a very particular way).

This is not a safe assumption. People use ClamAV with all sorts of different
MTAs - probably sendmail, exim, postfix and qmail are the most common, but
there may well be more.

Also, people use many different ways to interface the MTA with ClamAV - some
use a milter, some use procmail, some use MailScanner, some use other
methods...

So, although your ideas may be good ones, they must be able to be implemented
in a very wide variety of settings (to give you an example, when ClamAV is
used under MailScanner, it gets called as a simple anti-virus file scanner -
ClamAV itself has (a) no idea it's being used in an email environment, and
(b) no way of interacting with the MTA receiving the email (to give a filure
response) because by the time ClamAV sees the file, the email has been
completely received and locally stored).

Regards,

Antony.

--
Programming is a Dark Art, and it will always be. The programmer is
fighting against the two most destructive forces in the universe:
entropy and human stupidity. They're not things you can always
overcome with a "methodology" or on a schedule.

- Damian Conway, Perl God

Please reply to the list;
please don't CC me.
Re: clamav-milter (logging, notify to postmaster, reject message) [ In reply to ]
Antony Stone wrote:

>On Wednesday 31 March 2004 10:33 pm, Sergey wrote:
>
>
>
>>Hello.
>>
>>I think produce to discussion some patch.
>>
>>
>
>All your suggestions assume that ClamAV is running in combination with
>sendmail (and, perhaps, combined in a very particular way).
>
>
>
>
which is generaly a valid assumption for clamav-milter
on a semi related note, is there a "clamdstreamscan" available?
Re: clamav-milter (logging, notify to postmaster, reject message) [ In reply to ]
On 2004-03-31, Antony Stone wrote:

>On Wednesday 31 March 2004 10:33 pm, Sergey wrote:
>
>> I think produce to discussion some patch.
>
>All your suggestions assume that ClamAV is running in combination with
>sendmail (and, perhaps, combined in a very particular way).

A quick look into his patch shows that the only part of clamav which
gets modified is clamav-milter, so all these assumptions are right ;)

s.

--
(0> Jakub Jankowski [url]: s.atn.pl "Nawet w Krainie Czarow
//\ shasta@IRCnet [rlu]: 174516 latwiej jest spotkac
V_/_ shasta@atn.pl [ekg]: 921514 Babe Jage niz Alicje"
Fingerprint: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D
Re: clamav-milter (logging, notify to postmaster, reject message) [ In reply to ]
On Thursday 01 April 2004 03:39, Antony Stone wrote:

> All your suggestions assume that ClamAV is running in combination with
> sendmail

Yes. I write in subject: "clamav-milter". It's all only for it.

> This is not a safe assumption. People use ClamAV with all sorts of different
> MTAs - probably sendmail, exim, postfix and qmail are the most common, but
> there may well be more.

"milter" is a sendmail's filter interface. All it can't use "clamav-milter", it's use clamd
directly or via over interfaces. Once again: the subject point to sendmail only. I'm not
interest about problems with other MTA now. ;-)

--
regards, Sergey
a_s_y@sama.ru