[Mimedefang] action_drop_with_warning called outside of filter context

Nels Lindquist nlindq at maei.ca
Wed Feb 21 11:28:00 EST 2018


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2018/02/21 8:13 AM, saqariden wrote:

> We are running mimedefang with Spamassassin and Clamav to secure
> our mailling server. but actually, i have a probleme with
> mimedefang-filter. the following error appear when a virus is
> detected:
> 
> mimedefang.pl[10245]: w1K87JOB027594: Detected virus 
> PUA.Win.Trojan.EmbeddedPDF-1 mimedefang.pl[10245]: w1K87JOB027594:
> action_drop_with_warning called outside of filter context
> 
> then the attachment was not dropped. here is my filter:
> 
> sub filter_begin { my($entity) = @_; if ($SuspiciousCharsInHeaders)
> { md_graphdefang_log('suspicious_chars'); return action_discard(); 
> } md_copy_orig_msg_to_work_dir_as_mbox_file();
> 
> # Scan for viruses if any virus-scanners are installed my($code,
> $category, $action) = message_contains_virus();
> 
> # Lower level of paranoia - only looks for actual viruses 
> $FoundVirus = ($category eq "virus");
> 
> # Higher level of paranoia - takes care of "suspicious" objects #
> $FoundVirus = ($action eq "quarantine");
> 
> if ($FoundVirus) { md_graphdefang_log('virus', $VirusName,
> $RelayAddr);
> 
> md_syslog('warning', "Detected virus $VirusName"); return
> action_drop_with_warning("An attachment of type $type, named $fname
> was removed from this document as it\nconstituted$ }
> 
> the action discard work correctly but it's not what i'm looking
> for, i want to drop just the infected file and make a warning on
> the email, Please, how can i correct this? thank you.

Please have a look at the mimedefang-filter manpage, paying particular
attention to the "CALLING SEQUENCE" section.  In short, you can't
apply actions to message parts from filter_begin().  Have a look at
filter() and filter_multipart(); you'll have to run the virus scanner
on each message part (which is expensive) and handle the disposition
at that level.

Why do you want to do this at all, though?  There's virtually no
utility to passing virus-containing messages on to recipients even
with their payloads stripped. Consider discarding or rejecting the
entire message instead.

- ----
Nels Lindquist <nlindq at maei.ca>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlqNnhAACgkQh6z5POoOLgQOzwCgyXBUAfoZ/2Nxt3nrkaIb8yjK
9ZoAnjBksD7PVdH7XzxWz+EDJ3Ybk3Ax
=3JBC
-----END PGP SIGNATURE-----



More information about the MIMEDefang mailing list