Is there a way for me to configure Exim to reject incoming viruses detected by clamav, but also send a notification e-mail to the receipient with information about the rejection? Or perhaps there is a way to make it work like spamassassin where a report gets sent to the user, but instead of attaching the original message, have it send a version of e-mail with the virus/attachment removed.
The first request is always a bad idea, as most viruses no use their own built-in SMTP server and send email out with forged headers, so your bounces will be going to completely innocent people, making the load on email worse.
As to the second request, I don't know for sure, hopefully someone with exiscan experience will come along. I would not be surprised if this type of configurability is available, though. It is certainly easy to do with MailScanner
As to the second request, I don't know for sure, hopefully someone with exiscan experience will come along. I would not be surprised if this type of configurability is available, though. It is certainly easy to do with MailScanner
I cannot find where I got this from - (I know try to keep all the sources from this knid of stuff) but this drops those attachments and delivers the rest of the email. Maybe someone can show how to add a message or at least a header.
but now I just use Clamav.
Code:
#BLOCK .PIF, .SCR, OR .EXE ATTACHMENTS
#In /etc/antivirus.exim, before the section:
if not first_delivery
then
finish
endif
Add the following:
# Look for .pif, .scr or .exe in files and REMOVE them!
if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|exe|pif|scr)\")"
then
seen finish
endif
# same again using unquoted filename [content_type_unquoted_fn_match]
if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|exe|pif|scr))"
then
seen finish
endif
# Look for .pif, .scr or .exe in files and REMOVE them!
# Quoted filename - [body_quoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|exe|pif|scr)\")[\\\\s;]"
then
seen finish
endif
# same again using unquoted filename [body_unquoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|exe|pif|scr))[\\\\s;]"
then
seen finish
endif
Last edited:
exiscan works at the MTA level, and when it bounces a mail with virus inside it, it sends a rejection message with the virus information inside it.viet said:
If you are looking at more functionality on this front, then mailscanner is the way though its not recommended on heavy mail servers since heavy load is associated with mailscanner.
That message is sent to the sender - not recipient - unless you know how to do both??anand said:
I would not send a bounce message back - as most of the time the sender header is forged and probably does not even exist. Then all the undelivered messeges fill up MY mail queue as they keep retrying....
Sorry i messed that part. Yes it only notifies the sender. Also exiscan works on the MTA level so there is no question of mails filling up your mailq before they never enter that arealloyd_tennison said:
