[Mimedefang] Mimedefang and clamav

Douglas J Hunley doug at hunley.homeip.net
Sun Jan 26 17:20:00 EST 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John spewed electrons into the ether that resembled:
> CLAMSCAN 'clamav'    NO (not found)
> CLAMD    'clamd'     NO (not found)
> I guess what is killing me is the no recognition of clamav in the configure
> script, when in fact it is installed.


where is clamd? where is clamscan? mine are /usr/sbin and /usr/bin 
respectively. MD found them just fine.

>
> Maybe it's my mimedefang-filter file.  There are no examples anywhere of
> setting up the filter with clamd.  I am no novice to Unix, (Linux) and MD &
> SpamAssassin are playing nicely together.

doubtfull. here's mine as an example. it works for me.

> MD doc's indicate MD should automatically recognize Clam stuff...

as long as it is looking wherever you installed it. did you install it to 
/opt?

> Can someone please point me in the right direction...

Maybe we could get David to add some configure switches? something like:
./configure --with-clamav=/opt/clamav 
David?
- -- 
Douglas J Hunley (doug at hunley.homeip.net) - Linux User #174778
Admin: Linux StepByStep - http://www.linux-sxs.org
	and http://jobs.linux-sxs.org

"I didn't know it was impossible when I did it."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+NF8x2MO5UukaubkRAi53AJ9kSPR8C0PFi6wYEKspbfO9SWCWJQCeJD7f
2O2eSr9ufpZlW+kqKir9HE8=
=ifys
-----END PGP SIGNATURE-----
-------------- next part --------------
#-*-Perl-*-
#
# mimedefang-filter
#

# Global declarations

# Administrator address that receives quarantine messages
$AdminAddress='defang-admin at linux-sxs.org';
$AdminName="MIMEDefang Administrator";

# the address MIMEDefang emails appear to come from
$DaemonAddress='mimedefang at linux-sxs.org';

# if '1' try to put warning inline instead 
# of in an attachment
$AddWarningsInline=1;

# Enable syslogging of virus/spam/etc activity
md_log_enable('mail');

# Block messages with more than 50 MIME parts.
# This uses the Roaring Penguin versin of MIME-Tools
$MaxMIMEParts=50;

# if your mailer can't deal w/ nested multipart
# set this to 1
$Stupidity{"flatten"}=0;

# if your mailer can't deal w/ multiple 'inline'
# set this to 1
$Stupidity{"NoMultipleInlines"}=0;

# allow SpamAssassin to use its network checks
$SALocalTestsOnly = 0;

# Global functions

# return true for entities w/ bad filenames
sub filter_bad_filename($) {
	my($entity)=@_;
	my($bad_exts, $re);

	# bad extensions
	$bad_exts = '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|\{)';

	# Do not allow:
	# - curlies
	# - bad extensions (possibly with trailing dots) at end or
	#   followed by non-alphanum
	$re = '\.' . $bad_exts . '\.*([^-A-Za-z0-9_.,]|$)';
	return re_match($entity, $re);
}

# trap messages pretending to be some certain hosts when they are not
sub filter_sender() {
	my ($sender, $hostip, $hostname, $helo) = @_;
	my ($i1, $i2);

	# Regularize sender to lower-case, and remove <> signs
	$sender = lc($sender);
	$sender =~ tr/<>//d;

	foreach $domain qw(aol.com hotmail.com earthlink.net yahoo.com ibm.com) {
		$i1 = rindex($sender, $domain);
		$i2 = rindex($hostname, $domain);
		if ($i1 >= 0 and $i1 == length($sender) - length($domain)) {
			if (length($hostname) < length($domain) or $i2 != length($hostname) - length($domain)) {
				return(0, "Mail from $domain not permitted from relay $hostip");
			}
		}
	}
	return(1, "OK");
}

# filter_begin: called on the whole message (think pre-process)
sub filter_begin() {
	# deal with excluding netllama's mail
	my($recip);
	foreach $recip (@Recipients) {
		# Remove angle backets; convert to lower-case
		$recip =~ tr/<>//d;
		$recip = lc($recip);
		if ($recip eq 'netllama at linux-sxs.org') {
			if (stream_by_recipient()) {
				return
			}
		}
	}

	# check for virus
	my($code, $category, $action) = message_contains_virus_filescan();
	$FoundVirus=($category eq "virus");
	if ($FoundVirus) {
		if ($category eq "virus") {
			md_log('virus', $VirusName, $RelayAddr);
			return action_bounce("Found $VirusName. Rejected.");
		}
	} else { 
		$VirusScannerMessages = "";
		my($code, $category, $action) = message_contains_virus_clamd();
		$FoundVirus=($category eq "virus");
		if ($FoundVirus) {
			if ($category eq "virus") {
				md_log('virus', $VirusName, $RelayAddr);
				return action_bounce("Found $VirusName. Rejected.");
			}
		} else { 
			action_change_header("X-Virus-Scanned","OK, scanned by File::Scan,ClamAV");
		}
	}

	# check for spam
	if ($Features{"SpamAssassin"}) {
		if (-s "./INPUTMSG" < 256*1024) {
			my($hits, $req, $names, $report)=spam_assassin_check();
			if($hits >= 9) {
				md_log('spam', $hits, $RelayAddr);
				return action_bounce("SpamAssassin says this email is SPAM. Rejected.");
			} elsif ($hits >= $req) {
				md_log('spam', $hits, $RelayAddr);
				action_change_header("X-Spam-Warning","SpamAssassin says this message is SPAM");
				action_change_header("X-Spam-Status","Yes, hits=$hits, required=$req (www.spamassassin.org)");
				my $graph='*'x($hits > 50 ? 50 : int($hits));
				action_change_header("X-Spam-Level","$graph $hits $graph");
			} else {
				action_change_header("X-Spam-Status","No, hits=$hits, required=$req (www.spamassassin.org)");
			}
		} else {
			action_change_header("X-Spam-Status","Message size greater than 256Kb - Spam check skipped");
		}
	}
}

# filter - called on each MIME entity
sub filter($$$$) {
	my($entity, $fname, $ext, $type)=@_;

	return if message_rejected(); # Avoid unnecessary work

	# deal with netllamas mail
	return action_accept() if ($Recipients[0] eq 'netllama at linux-sxs.org');

	# handle message/partial attacks
	if (lc($type) eq "message/partial") {
		md_log('message/partial');
		return action_bounce("Message rejected because of message/partial type");
	}

	if ($SuspiciousCharsInHeaders) {
		md_log('suspicious_chars');
		return action_bounce("Suspicious characters in headers. Rejected");
	}

	# eml (if not multipart) is bad
	if (re_match($entity, '\.eml')) {
		md_log('non_multipart');
		return action_bounce("A non-multipart attachment named $fname was attached to this document and\nconstituted a security hazard. Rejected");
	}

	if (filter_bad_filename($entity)) {
		md_log('bad_filename', $fname);
		return action_bounce("An attachment named $fname was attached to this document and\nconstituted a security hazard. Rejected");
	}

	# clean up HTML if possible
	if($Features{"HTMLCleaner"}) {
		if ($type eq "text/html") {
			return anomy_clean_html($entity);
		}
	}

	# if we get here, it's cool
	return action_accept();
}

# filter_multipart - scan multi-part attachments
sub filter_multipart($$$$) {
	my($entity, $fname, $ext, $type)=@_;

	return if message_rejected(); # Avoid unnecessary work

	# deal with netllamas mail
	return action_accept() if ($Recipients[0] eq 'netllama at linux-sxs.org');

	# deal with message/partial attacks
	if (lc($type) eq "message/partial") {
		md_log('message/partial');
		return action_bounce("Message bounced because of message/partial type");
	}

	if (filter_bad_filename($entity)) {
		md_log('bad_filename', $name, $type);
		return action_bounce("An attachment of type $type, named $fname was attached to this document and\nconstituted a security hazard. Rejected");
	}

	if (re_match($entity, '\.eml') and ($type ne "message/rfc822")) {
		md_log('non_rfc822', $fname);
		return action_bounce("A non-message/rfc822 attachment named $fname was attached to this document and\nconstituted a security hazard. Rejected");
	}

	return action_accept();
}

# defang_warning - change the names on dangerous attachments
sub defang_warning($$) {
	my($oldfname, $fname)=@_;

	return if message_rejected(); # Avoid unnecessary work

	return "An attachment named '$oldfname' was converted to '$fname'.\nTo recover the file, right-click on the attachment and Save As\n'$oldfname'\n"
}

# DO NOT DELETE THIS LINE
1;


More information about the MIMEDefang mailing list