[Mimedefang] filtering bad filename vs. file scanning

cc cc at belfordhk.com
Thu Sep 25 23:13:01 EDT 2003 

Hi,

Since I started using MIMEDefang, any EXE files are removed from the
email.  Currently, this is a good thing (with SWEN swarming around
the 'Net), but is it a good thing in the long run?

Right now, MIMEDefang is discarding EXE files via the
filter_bad_extensions() function.    But how do I
scan the EXE file and then Filter it?

I have ClamD installed, but I can't tell whether or not
MIMEDefang is even using it.  During installation,
the installation script definitely found Virus::ClamAV,
but there's no indication that it's using it.

In the MIMEDefang filter file I only made minor changes,
but left the sequence of functions as is.  So given
that, wouldn't MIMEDefang scan the file and then
discard it with a final message telling the user
that the Virus So-and-so was found and the whole
attachment was discard?

# This part is from filter_begin()

 if (spam_assassin_is_spam() ){
    action_add_header("X-Spam-Warning","SpammAssassin says this is SPAM");
    action_change_header("Subject","** SPAM ** : $Subject");
 }

 # Scan for viruses if any virus-scanners are installed
 my($code, $category, $action) = message_contains_virus();

 # Lower level of paranoia - only looks for actual viruses
 $FoundVirus = ($category eq "virus");

 if ($FoundVirus){
    action_add_header('X-Virus-Caught:',"$VirusName");
    action_replace_with_warning("Virus was removed from this

                  message.\n\nTech Support.\n");
 }

In filter():

    # Virus scan
    if ($FoundVirus) {
        my($code, $category, $action);
        $VirusScannerMessages = "";
        # Virus scanning process
    }

    if (filter_bad_filename($entity)) {
        md_graphdefang_log('bad_filename', $fname, $type);
        return action_quarantine($entity, "An attachment named $fname
was removed from this document as it\nconstituted a security hazard.  If
you require this document, please contact\nthe sender and arrange an
alternate means of receiving it.\n");
    }

So wouldn't it detect the virus (ie. SWEN) and then discard with
the X-Virus-Caught: header added and the quarantine message added
to the message to the user?

How do I get mimedefang run in test mode to check whether it is
using the virus scanner properly? (Short of sending myself a
virus.)

Any clarifications appreciated.

More information about the MIMEDefang mailing list