[Mimedefang] Blocking cleaned virus messages.

Joseph Brennan brennan at columbia.edu
Fri Aug 29 11:17:11 EDT 2003


> When Gauntlet detects a virus infected attachment, it replaces the
> attachment with a message stating that the virus has been cleaned.  It
> retains the name of the original attachment appending a ".htm" to it as in
> patch.exe.htm in the example below.

It would be ideal if Gauntlet could put something in the header
portion of the message.  Then you could detect that with Mimedefang
or even Sendmail.  Spamassassin eats CPU and it is awful to run it
on messages that you know you don't want.  Be sure to look at this
possibility first.

Otherwise I would expect Spamassassin could handle it like this, in
/etc/mail/spamassassin/local.cf

body GAUNTLET_VIRUS         /X-NAI-Gauntlet-mimepp: Attachment removed/
score GAUNTLET_VIRUS  100
describe GAUNTLET_VIRUS Gauntlet said this message had a virus

One catch is this is not conditional to your own host adding
that header-- it just literally matches that header.  That's
probably OK.  Actually I don't see how you could ever tell
what host added this, since the mailhub always sees this as
being already in the mail when it gets it.

It would reject mail that happens to mention that header,
like this one.  :-)

The other catch is that this is not spam.  We action_bounce
spam over a certain score, but I wouldn't want to bounce
virusmail since the sender is usually faked.  So maybe you'd
want to look at whether the GAUNTLET_VIRUS test hit and if so
discard the message, before doing your usual Spamassassin
action.

Say you run Spamassassin with this as usual-
   my($hits, $req, $names, $report) = spam_assassin_check();

-so after it runs, do this first-

  if ($names =~ /GAUNTLET_VIRUS/) {
	md_graphdefang_log("virusmail discarded");
	action_discard();
  }

Or something like that.  I'm writing this fast.


Joseph Brennan         Columbia University in the City of New York
Academic Technologies Group                   brennan at columbia.edu






More information about the MIMEDefang mailing list