Mailing List Archive

On Wed, 25 Feb 2004, Bob George wrote:
> OT for this list, but please note that some serious shortcomings have
> been found with the functionality of clamav called directly from
> procmail. A word of caution to those that followed the earlier thread on
> using ClamAV with procmail, and my recipes specifically. In short -- and
> apologies to all if I have the details wrong -- the current "best" way
> to use clamav is to scan files on disk. A wrapper script to extract,
> then scan files seems to work best and most consistently.

Yes, and I am still looking for a good procmail-driven virus checker, with
decent signature updates, which would make a good 'companion' for SA.

- Charles

Charles Gregory <cgregory@hwcn.org> wrote:
> [...]
> Yes, and I am still looking for a good procmail-driven virus
> checker, with decent signature updates, which would make a
> good 'companion' for SA.

Oh, clamav works quite well from procmail but you do want a wrapper script to
extract, then scan attachments. Since that's the ONLY mode bitdefender works in
anyhow, I just incorporated both into a script. It's hit everything I've thrown
at it for testing.

Clamav also works well from anomy sanitizer, which I call from procmail to
defang, etc.

- Bob

LuKreme wrote:

> On 25 Feb 2004, at 08:02, Bob George wrote:
>
>> [...]
>> Just an aside: We got off on a bit of a tangent trying to get clamav
>> to work
>> directly from procmail. There are plenty of scripts (perl and shell)
>> that can
>> be used as wrappers to get it to work reliably and as expected from
>> procmail.
>> The trick is to decode attachments, then scan them. Unfortunately,
>> there's no
>> web page that says "DO THIS", so it was a bit of trial-and-error.
>
> Then it might be a good idea to write up your experiences as a
> procmail/vlamav how-to for the next person.

I'm still trying to verify that this HASN'T been done already (checking
out clamav lists etc.) but I agree it should be documented. I posted a
summary to the spamassassin list (appended below) letting folks know
that calling DIRECTLY from procmail per some of our early attempts --
based on my non-authoritative testing and observations -- can yield
inconsistent, or at least difficult-to-explain results. The discussion
migrated to THIS list based on an impulse to avoid calling shell/perl
scripts to avoid performance hits by calling clamdscan directly from
procmail. Alas, it does appear -- again, based on my non-authoritative
testing (with thanks to dallman) -- that a wrapper script to unpack,
then scan files on disk yields more consistent results.

> I say this not out of a desire for the readme itself (I simply block
> dangerous attachments and let people live with their screweups if they
> open zips)

I don't believe in the death penalty for the inexperienced, but that's a
philisophical discussion.

> but rather so we can simply point the next person to your
> comprehensive how-to :)

I don't think a full howto is required on "clamav from procmail" per se,
as the existing perl and shell scripts work just fine. All that's
required so far as procmail is concerned is a caveat that calling
clamdscan/clamscan as a filter to scan (--mbox etc.) can be problematic,
and to avoid the temptation to "avoid the hit" of calling a separate
wrapper -- at least with the current state of clamav.

All that said, this situation is likely to change as work continues on
clamav, and calling directly with --mbox MAY be a non-issue soon enough.
I certainly DO NOT mean to imply that clamav is deficient, but merely
that some our/my attempts to "improve" on performance by calling
clamdscan directly from procmail as a filter went awry. (They DID work
in practice, based on my experience. But some testing hints that results
can be iffy when called that way. Let me be clear: clamav works quite
well. The user setting it up, however, needs to be careful -- just like
those using zip files.)

If I get any specifics indicating anything to the contrary, I'll gladly
post details here. If there's a place for "calling clamav from procmail"
on any of the excellent and no doubt better read procmail howto/faq
sites, I'll gladly write up a few notes for inclusion there. Clamav is
ONE alternative, but procmail accomodates many others, so I wouldn't
want to hijack a procmail site.

> I'll even host it for you if a permanent web location is an issue.

I appreciate the offer, but I think it really only warrants mention in
one of the better procmail compendium sites already out there.

Now to the larger (non-procmail specific) issues: It seems (to me at
least) there's a bit of a gap in info on how to integrate commonly used
tools for processing inbound email: procmail, spamassassin and clamav.
Others such as anomy sanitizer/amavis/mailscanner probably warrant
inclusion, though they're not quite right for my pesonal needs. If/when
I get enough useful information together, I'll gladly write up my
"defense in depth" approach, but to be complete someone would have to
add milter and integration into MTA (which I don't work with) chapters.
THAT might warrant a dedicated howto.

Again, this is probably getting a tad OT for the procmail list.
Apologies to the bored.

- Bob

--- as posted to spamassassin list ---
OT for this list, but please note that some serious shortcomings have
been found with the functionality of clamav called directly from
procmail. A word of caution to those that followed the earlier thread on
using ClamAV with procmail, and my recipes specifically. In short -- and
apologies to all if I have the details wrong -- the current "best" way
to use clamav is to scan files on disk. A wrapper script to extract,
then scan files seems to work best and most consistently.

- Bob
---

Bob George wrote:

> LuKreme wrote:
>
>> On 25 Feb 2004, at 08:02, Bob George wrote:
>>
>>> [...]
>>

* groan * OK, I read LuKreme's message after perusing the procmail list
and obviously confused myself. This is NOT the procmail list. This is
the spamassassin list. I KNOW that!

sed 's/procmail/spamassassin/' < thismessage

OK, arguably, this IS a procmail issue and not a spamassassin one.

- Bob

On Thu, 26 Feb 2004, Bob George wrote:
> > Yes, and I am still looking for a good procmail-driven virus
> > checker, with decent signature updates, which would make a
> > good 'companion' for SA.
> Oh, clamav works quite well from procmail but you do want a wrapper
> script to extract, then scan attachments.

Dang. I'm sorry, I've been repeating myself so often that I've gotten
tired of spelling it out each time. What I want is an anti-virus program
that works in a single 'pass' without writing stuff out to disk.

> Since that's the ONLY mode bitdefender works in anyhow....

Is bitdefender freeware? Didn't look like it when I visited the site...

> Clamav also works well from anomy sanitizer, which I call from
> procmail to defang, etc.

I've not wanted to us anomy sanitizer because not all our users have the
technical skills to properly interpret the output. So for the most part,
anything we have to install has to be conservative and very simple to use.
And yes, that was a *challenge* with SpamAssassin. Our users have access
to two settings: The 'hits required' and whether to merely 'flag' or
actually delete mail tagged as spam. Seems to be working fairly well.....

- Charles

On Thu, 26 Feb 2004, Bob George wrote:
> * groan * OK, I read LuKreme's message after perusing the procmail list
> and obviously confused myself. This is NOT the procmail list. This is
> the spamassassin list. I KNOW that!
> sed 's/procmail/spamassassin/' < thismessage
> OK, arguably, this IS a procmail issue and not a spamassassin one.

Well, personally, I am already subscribed to too many lists, but really do
need to get a high-efficiency combination of SA and anti-virus operating
from a simple interface like procmail. So for me it's a little bit
appropriate to this list (SA) because I am trying to CHOOSE an anti-virus
solution that works well with SA (which means I can't pick an anti-virus
list to subscribe to just yet). While technically it might be more fitting
to ask on the procmail list, I really only want the solutions used by
fellow SA users, so, here we are.... :-)

- Charles

Charles Gregory wrote:

> [...]
>
>Dang. I'm sorry, I've been repeating myself so often that I've gotten
>tired of spelling it out each time. What I want is an anti-virus program
>that works in a single 'pass' without writing stuff out to disk.
>
>
Oh, I want that too. But until it's available (or someone just calls the
script "the scanner" :), clamav is a great tool, and worlds better than
NO protection.

I assume the single pass requirement is for performance reasons?

>>Since that's the ONLY mode bitdefender works in anyhow....
>>Is bitdefender freeware? Didn't look like it when I visited the site...
>>
>>
"Free for personal use" -- at least free enough to be included in Debian.

>>Clamav also works well from anomy sanitizer, which I call from
>>procmail to defang, etc.
>>
>>
>I've not wanted to us anomy sanitizer because not all our users have the
>technical skills to properly interpret the output. So for the most part,
>anything we have to install has to be conservative and very simple to use.
>
>
I put anomy in BECAUSE my users (family mostly) lack those skills. I
have it set to scan, then allow through if it passes the scan, or
quarantine and direct users to ask for help if not. It can just as
easily drop infected messages. I can see this depending largely on the
userbase though. Still, I'd lean towards scanning SOMEWHERE, regardless
of how.

>And yes, that was a *challenge* with SpamAssassin. Our users have access
>to two settings: The 'hits required' and whether to merely 'flag' or
>actually delete mail tagged as spam. Seems to be working fairly well.....
>
>
Here's a thought: Allow users to "scan for viruses" or not. If they opt
for scanning, call clamav (or sanitizer), configured to drop infected.
If not, just don't call it. If using sanitizer, different procmail rules
could call it specifying different configs for content (defang html),
virus scanning, etc. depending on the options checked by the user
(assuming you've got a web checklist somewhere).

An option anyhow. Good luck, and let us know if you find a more
email-aware solution! I want one too.

- Bob

On Fri, 27 Feb 2004, Bob George wrote:
> I assume the single pass requirement is for performance reasons?

A combination of performance and simplicity of installation/maintenance
(for the distinct possibility that the next sysadmin will be volunteer).
We're running a community-network ISP here..... :-)

> >>Is bitdefender freeware? Didn't look like it when I visited the site...
> "Free for personal use" -- at least free enough to be included in Debian.

Which rules out CommunityNets..... (sigh)

> I put anomy in BECAUSE my users (family mostly) lack those skills. I
> have it set to scan, then allow through if it passes the scan, or
> quarantine and direct users to ask for help if not.

Before I installed SpamAssassin, I had a simple blacklist filter with a
quarantine system and I would have users calling up and complaining that
their disk quota was full but their 'inbox' empty. Even though the docs
practically SCREAMED that they had to clear out the spam box, far too many
users just 'clicked the button' and expected the spam to magically
disappear. So I finally gave in and gave them the option to just delete
spam based on the SA score. with a default to just tag spam, they can
easily check for FP's before they start deleting. Their choice....

And we really can't be suggesting that hundreds of users phone us for
help, especially when a good number think 'help' means they call us to cdo
things *for them* again and again..... (sigh)

> It can just as easily drop infected messages. I can see this depending
> largely on the userbase though.

Got it in one. As a community base we service a market segment that has
more difficulty with computers than average.... :-)

> Still, I'd lean towards scanning SOMEWHERE, regardless of how.

Uh-huh. That's why I want to get CLAMAV running. I figure they'll either
straighten out the 'mbox' option soon, or I'll follow the 'mailscanner'
trick of splitting postfix, though that will mean extra file I/O..... :-(

> Here's a thought: Allow users to "scan for viruses" or not.

I might offer them anomy sanitizing as an option. But basic virus scanning
has to be on for everyone. It's in everyone's best interest....

> If not, just don't call it. If using sanitizer, different procmail rules
> could call it specifying different configs for content (defang html),
> virus scanning, etc. depending on the options checked by the user
> (assuming you've got a web checklist somewhere).

Yeah, we're headed in that direction. But let's get basic AV running
first..... :-)

- Charles

Charles Gregory wrote:
> Well, personally, I am already subscribed to too many lists, but really do
> need to get a high-efficiency combination of SA and anti-virus operating
> from a simple interface like procmail. So for me it's a little bit
> appropriate to this list (SA) because I am trying to CHOOSE an anti-virus
> solution that works well with SA (which means I can't pick an anti-virus
> list to subscribe to just yet). While technically it might be more fitting
> to ask on the procmail list, I really only want the solutions used by
> fellow SA users, so, here we are.... :-)

If you have not gone the clamav route yet but are still looking for a
procmail based solution then let me recommend Yet Another Virus
Recipe. It is very simple and works from a procmailrc file.

http://agriroot.aua.gr/~nikant/nkvir/

Subscribe to the freshmeat.net project and get notices of updates.
But frankly as a virus checker it will always have continuous updates
so better just to put a cronjob in to update it automatically.

http://freshmeat.net/projects/yavr/

Quickstart guide for a single user local installation.
Assuming ~/Mail is MAILDIR and you can adjust accordingly.

cd ~/Mail/
wget http://agriroot.aua.gr/~nikant/nkvir-rc
mkdir virus

Then in your ~/.procmailrc file above the spamassassin filtering put
the following:

NIGSCAM=OFF
PORNSPAM=OFF
INCLUDERC=$MAILDIR/nkvir-rc

Since I use SpamAssassin for the spam filtering I turn the spam
filtering here off and just use the virus scanning feature. I scrape
the viruses out before SA becuase I don't need SA bayes to be learning
about the viruses which are directly identifiable by their signatures.

Bob

P.S. Really behind in the lists...