[Mimedefang] Mimedefang and clamav
Douglas J Hunley
doug at hunley.homeip.net
Sun Jan 26 17:20:00 EST 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
John spewed electrons into the ether that resembled:
> CLAMSCAN 'clamav' NO (not found)
> CLAMD 'clamd' NO (not found)
> I guess what is killing me is the no recognition of clamav in the configure
> script, when in fact it is installed.
where is clamd? where is clamscan? mine are /usr/sbin and /usr/bin
respectively. MD found them just fine.
>
> Maybe it's my mimedefang-filter file. There are no examples anywhere of
> setting up the filter with clamd. I am no novice to Unix, (Linux) and MD &
> SpamAssassin are playing nicely together.
doubtfull. here's mine as an example. it works for me.
> MD doc's indicate MD should automatically recognize Clam stuff...
as long as it is looking wherever you installed it. did you install it to
/opt?
> Can someone please point me in the right direction...
Maybe we could get David to add some configure switches? something like:
./configure --with-clamav=/opt/clamav
David?
- --
Douglas J Hunley (doug at hunley.homeip.net) - Linux User #174778
Admin: Linux StepByStep - http://www.linux-sxs.org
and http://jobs.linux-sxs.org
"I didn't know it was impossible when I did it."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+NF8x2MO5UukaubkRAi53AJ9kSPR8C0PFi6wYEKspbfO9SWCWJQCeJD7f
2O2eSr9ufpZlW+kqKir9HE8=
=ifys
-----END PGP SIGNATURE-----
-------------- next part --------------
#-*-Perl-*-
#
# mimedefang-filter
#
# Global declarations
# Administrator address that receives quarantine messages
$AdminAddress='defang-admin at linux-sxs.org';
$AdminName="MIMEDefang Administrator";
# the address MIMEDefang emails appear to come from
$DaemonAddress='mimedefang at linux-sxs.org';
# if '1' try to put warning inline instead
# of in an attachment
$AddWarningsInline=1;
# Enable syslogging of virus/spam/etc activity
md_log_enable('mail');
# Block messages with more than 50 MIME parts.
# This uses the Roaring Penguin versin of MIME-Tools
$MaxMIMEParts=50;
# if your mailer can't deal w/ nested multipart
# set this to 1
$Stupidity{"flatten"}=0;
# if your mailer can't deal w/ multiple 'inline'
# set this to 1
$Stupidity{"NoMultipleInlines"}=0;
# allow SpamAssassin to use its network checks
$SALocalTestsOnly = 0;
# Global functions
# return true for entities w/ bad filenames
sub filter_bad_filename($) {
my($entity)=@_;
my($bad_exts, $re);
# bad extensions
$bad_exts = '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|\{)';
# Do not allow:
# - curlies
# - bad extensions (possibly with trailing dots) at end or
# followed by non-alphanum
$re = '\.' . $bad_exts . '\.*([^-A-Za-z0-9_.,]|$)';
return re_match($entity, $re);
}
# trap messages pretending to be some certain hosts when they are not
sub filter_sender() {
my ($sender, $hostip, $hostname, $helo) = @_;
my ($i1, $i2);
# Regularize sender to lower-case, and remove <> signs
$sender = lc($sender);
$sender =~ tr/<>//d;
foreach $domain qw(aol.com hotmail.com earthlink.net yahoo.com ibm.com) {
$i1 = rindex($sender, $domain);
$i2 = rindex($hostname, $domain);
if ($i1 >= 0 and $i1 == length($sender) - length($domain)) {
if (length($hostname) < length($domain) or $i2 != length($hostname) - length($domain)) {
return(0, "Mail from $domain not permitted from relay $hostip");
}
}
}
return(1, "OK");
}
# filter_begin: called on the whole message (think pre-process)
sub filter_begin() {
# deal with excluding netllama's mail
my($recip);
foreach $recip (@Recipients) {
# Remove angle backets; convert to lower-case
$recip =~ tr/<>//d;
$recip = lc($recip);
if ($recip eq 'netllama at linux-sxs.org') {
if (stream_by_recipient()) {
return
}
}
}
# check for virus
my($code, $category, $action) = message_contains_virus_filescan();
$FoundVirus=($category eq "virus");
if ($FoundVirus) {
if ($category eq "virus") {
md_log('virus', $VirusName, $RelayAddr);
return action_bounce("Found $VirusName. Rejected.");
}
} else {
$VirusScannerMessages = "";
my($code, $category, $action) = message_contains_virus_clamd();
$FoundVirus=($category eq "virus");
if ($FoundVirus) {
if ($category eq "virus") {
md_log('virus', $VirusName, $RelayAddr);
return action_bounce("Found $VirusName. Rejected.");
}
} else {
action_change_header("X-Virus-Scanned","OK, scanned by File::Scan,ClamAV");
}
}
# check for spam
if ($Features{"SpamAssassin"}) {
if (-s "./INPUTMSG" < 256*1024) {
my($hits, $req, $names, $report)=spam_assassin_check();
if($hits >= 9) {
md_log('spam', $hits, $RelayAddr);
return action_bounce("SpamAssassin says this email is SPAM. Rejected.");
} elsif ($hits >= $req) {
md_log('spam', $hits, $RelayAddr);
action_change_header("X-Spam-Warning","SpamAssassin says this message is SPAM");
action_change_header("X-Spam-Status","Yes, hits=$hits, required=$req (www.spamassassin.org)");
my $graph='*'x($hits > 50 ? 50 : int($hits));
action_change_header("X-Spam-Level","$graph $hits $graph");
} else {
action_change_header("X-Spam-Status","No, hits=$hits, required=$req (www.spamassassin.org)");
}
} else {
action_change_header("X-Spam-Status","Message size greater than 256Kb - Spam check skipped");
}
}
}
# filter - called on each MIME entity
sub filter($$$$) {
my($entity, $fname, $ext, $type)=@_;
return if message_rejected(); # Avoid unnecessary work
# deal with netllamas mail
return action_accept() if ($Recipients[0] eq 'netllama at linux-sxs.org');
# handle message/partial attacks
if (lc($type) eq "message/partial") {
md_log('message/partial');
return action_bounce("Message rejected because of message/partial type");
}
if ($SuspiciousCharsInHeaders) {
md_log('suspicious_chars');
return action_bounce("Suspicious characters in headers. Rejected");
}
# eml (if not multipart) is bad
if (re_match($entity, '\.eml')) {
md_log('non_multipart');
return action_bounce("A non-multipart attachment named $fname was attached to this document and\nconstituted a security hazard. Rejected");
}
if (filter_bad_filename($entity)) {
md_log('bad_filename', $fname);
return action_bounce("An attachment named $fname was attached to this document and\nconstituted a security hazard. Rejected");
}
# clean up HTML if possible
if($Features{"HTMLCleaner"}) {
if ($type eq "text/html") {
return anomy_clean_html($entity);
}
}
# if we get here, it's cool
return action_accept();
}
# filter_multipart - scan multi-part attachments
sub filter_multipart($$$$) {
my($entity, $fname, $ext, $type)=@_;
return if message_rejected(); # Avoid unnecessary work
# deal with netllamas mail
return action_accept() if ($Recipients[0] eq 'netllama at linux-sxs.org');
# deal with message/partial attacks
if (lc($type) eq "message/partial") {
md_log('message/partial');
return action_bounce("Message bounced because of message/partial type");
}
if (filter_bad_filename($entity)) {
md_log('bad_filename', $name, $type);
return action_bounce("An attachment of type $type, named $fname was attached to this document and\nconstituted a security hazard. Rejected");
}
if (re_match($entity, '\.eml') and ($type ne "message/rfc822")) {
md_log('non_rfc822', $fname);
return action_bounce("A non-message/rfc822 attachment named $fname was attached to this document and\nconstituted a security hazard. Rejected");
}
return action_accept();
}
# defang_warning - change the names on dangerous attachments
sub defang_warning($$) {
my($oldfname, $fname)=@_;
return if message_rejected(); # Avoid unnecessary work
return "An attachment named '$oldfname' was converted to '$fname'.\nTo recover the file, right-click on the attachment and Save As\n'$oldfname'\n"
}
# DO NOT DELETE THIS LINE
1;
More information about the MIMEDefang
mailing list