[Mimedefang] Strange virus scanning message?
Matt A. Gargett
MGargett at comshare.com
Thu May 16 15:22:26 EDT 2002
I'm getting the following when a virus actually comes to my mail server:
May 16 15:14:32 inet-prime sendmail[17284]: g4GJENH8017284:
from=<removed at umich.edu>, size=54345, class=0, nrcpts=1,
msgid=<Pine.SOL.4.44.0205161515490.6427 at rastan.gpcc.itd.umich.edu>,
proto=SMTP, daemon=MTA, relay=aa-firewall.comshare.com [130.211.1.14]
May 16 15:14:35 inet-prime mimedefang[17285]: Error from multiplexor: ERR No
response from slave (premature death?)
May 16 15:14:35 inet-prime sendmail[17284]: g4GJENH8017284: Milter: data,
reject=451 4.7.1 Please try again later
And I believe it then just drops the message completely. I know that the
slaves are running okay for everything else. I am running MIMEDefang 2.11
with Mcafee VirusScan. However, it does scan files that do not contain
viruses and claims them as okay, and passes it on. Any ideas?
- Matt
Here's my filter info below:
sub filter {
my($entity, $fname, $ext, $type) = @_;
my($code, $category, $action) = entity_contains_virus_nai($entity);
action_add_header('X-Virus-Scanned', $fname ? "$fname: $action" :
"Message: $action");
$VirusScannerMessages =~ s/^\/var.*\n//g;
$VirusScannerMessages =~ s/^\s+//;
if ($action eq 'quarantine') {
# syslog(`err`, "Virus detected: $VirusScannerMessages");
my $msg =
" V I R U S A L E R T\n\n" .
"Our virus scanner found a VIRUS in your email to " .
"@Recipients.\n\nWe advise you to check your computer for " .
"viruses. We recommend the\nlatest versions of the " .
"following anti-virus software:\n\n" .
" Norton AntiVirus http://www.symantec.com/avcenter/\n" .
" McAfee VirusScan http://www.mcafee.com/anti-virus/\n\n"
.
"BE SURE TO UPDATE YOUR ANTI-VIRUS SOFTWARE WITH THE LATEST "
.
"VIRUS\nDEFINITIONS.\n\nOur virus scanner found the " .
"following virus:\n\n$VirusScannerMessages\n";
if (open (IN, 'HEADERS')) {
$msg .= "\n-----Original Message Headers-----\n";
while () { $msg .= $_ }
close(IN);
}
if ($Sender ne '<>') {
action_notify_sender($msg);
}
action_notify_administrator("-----Original Message-----\n" .
"From: $DaemonName <$DaemonAddress>\n" .
"Sent: " . localtime() . "\n" .
"To: $Sender\n" .
"Subject: MIMEDefang Notification.\n\n" .
$msg);
add_recipient($Administrator);
return action_quarantine($entity, " V I R U S"
.
" A L E R T\n\nOur virus scanner found a VIRUS in this " .
"email from $Sender.\nAn attachment named \'$fname\' was " .
"removed from this email because it\ncontained a virus. " .
"The virus scanner reported the following:\n\n" .
"$VirusScannerMessages\n");
} elsif (filter_bad_filename($entity)) {
add_recipient($Administrator);
return action_quarantine($entity, "An attachment named " .
"\'$fname\' was removed from this email because it\nconstituted "
.
"a security hazard. If you require this document, please\n" .
"contact the sender and arrange an alternate means of receiving "
.
"it.\n");
}
if (filter_bad_filename($entity)) {
return action_quarantine($entity, "An attachment named $fname was
removed from this document as it\nconstituted a sec
urity hazard. If you require this document, please contact\nthe sender and
arrange an alternate means of receiving it.\n");
}
# eml is bad if it's not multipart
if (re_match($entity, '\.eml')) {
return action_quarantine($entity, "A non-multipart attachment named
$fname was removed from this document as it\ncons
tituted a security hazard. If you require this document, please contact\nthe
sender and arrange an alternate means of receiv
ing it.\n");
}
# Clean up HTML if Anomy::HTMLCleaner is installed.
if ($Features{"HTMLCleaner"}) {
if ($type eq "text/html") {
return anomy_clean_html($entity);
}
}
return action_accept();
}
More information about the MIMEDefang
mailing list