Mailing List Archive

--
On Wed, Jun 05, 2002 at 06:58:31PM -0400, Dave C. wrote:

| Subject says it all.
|
| I have a need to do this. If anyone has done it I would love if they
| would share their hackery.
|
| If not then I guess I will try it on my own.

I haven't done it, but does your AV thingy work like a UNIX filter?
If so it is quite simple to plug your own together. Both SA-exim and
exiscan allow you to specify whatever file you want as the scanner
program. With exiscan you specify a pattern that will be matched on
stdout for "bad" messages. With SA-exim you make the score in the
X-Spam-Status header higher than the threshold you've configured. To
glue SA and AV together, just make a script that first pipes the
message to one (probably the AV) and if it's bad, output the necessary
"magic" for the local_scan to reject it. If it's not bad, pipe it
through the other and output the necessary "magic". I don't think
that an inefficient implementation would take very long to knock
together.

HTH,
-D

--

Your mouse has moved.
You must restart Windows for your changes to take effect.

GnuPG key : http://dman.ddts.net/~dman/public_key.gpg

--
[ Content of type application/pgp-signature deleted ]
--

On Wed, 5 Jun 2002, dman wrote:

> --
> On Wed, Jun 05, 2002 at 06:58:31PM -0400, Dave C. wrote:
>
> | Subject says it all.
> |
> | I have a need to do this. If anyone has done it I would love if they
> | would share their hackery.
> |
> | If not then I guess I will try it on my own.
>
> I haven't done it, but does your AV thingy work like a UNIX filter?
> If so it is quite simple to plug your own together. Both SA-exim and
> exiscan allow you to specify whatever file you want as the scanner
> program. With exiscan you specify a pattern that will be matched on
> stdout for "bad" messages. With SA-exim you make the score in the
> X-Spam-Status header higher than the threshold you've configured. To
> glue SA and AV together, just make a script that first pipes the
> message to one (probably the AV) and if it's bad, output the necessary
> "magic" for the local_scan to reject it. If it's not bad, pipe it
> through the other and output the necessary "magic". I don't think
> that an inefficient implementation would take very long to knock
> together.
>

Hrm.. Unfortunately, this is for high-volume mail server.. 'Inefficient'
may work for testing, but it will surely not do for production..

--
On Thu, Jun 06, 2002 at 08:31:53AM -0400, Dave C. wrote:
| On Wed, 5 Jun 2002, dman wrote:
|
| > --
| > On Wed, Jun 05, 2002 at 06:58:31PM -0400, Dave C. wrote:
| >
| > | Subject says it all.
| > |
| > | I have a need to do this. If anyone has done it I would love if they
| > | would share their hackery.
| > |
| > | If not then I guess I will try it on my own.
...
| > I don't think that an inefficient implementation would take very
| > long to knock together.
|
| Hrm.. Unfortunately, this is for high-volume mail server.. 'Inefficient'
| may work for testing, but it will surely not do for production..

Spend a little more time and optimize it better :-). I think the
fastest order of checking would be :
o look for traces of executables
o if one is found, look for obvious virus signs
o reject if found (klez is well-suited for this)
o feed through AV
o reject as appropriate
o check whitelist(s), accept if appropriate
o feed small messages (<250K is spamc's default) through SA
o reject as approprieate

This way you can (attempt) to perform the least amount of processing
on any given message. I expect the AV software to be the slowest part
(though I have no empirical data to show that) which is why I chose to
avoid the AV scanning as much as possible. (if a message is
single-part and text/plain, it aint't a virus :-))

This is the best I can do.

-D

--

Who can say, "I have kept my heart pure;
I am clean and without sin"?
Proverbs 20:9

GnuPG key : http://dman.ddts.net/~dman/public_key.gpg

--
[ Content of type application/pgp-signature deleted ]
--

>avoid the AV scanning as much as possible. (if a message is
>single-part and text/plain, it aint't a virus :-))

Untrue, and I can prove it! (This may or may not make it to the list.)

[ Deleted uuencoded file 'dodgy.mail' ]