The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim/Exiscan/ClamAV reject viruses and notify?

Discussion in 'General Discussion' started by viet, Nov 4, 2004.

  1. viet

    viet Member

    Joined:
    Jun 21, 2004
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Is there a way for me to configure Exim to reject incoming viruses detected by clamav, but also send a notification e-mail to the receipient with information about the rejection? Or perhaps there is a way to make it work like spamassassin where a report gets sent to the user, but instead of attaching the original message, have it send a version of e-mail with the virus/attachment removed.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The first request is always a bad idea, as most viruses no use their own built-in SMTP server and send email out with forged headers, so your bounces will be going to completely innocent people, making the load on email worse.

    As to the second request, I don't know for sure, hopefully someone with exiscan experience will come along. I would not be surprised if this type of configurability is available, though. It is certainly easy to do with MailScanner ;)
     
  3. lloyd_tennison

    lloyd_tennison Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    698
    Likes Received:
    1
    Trophy Points:
    18
    I cannot find where I got this from - (I know try to keep all the sources from this knid of stuff) but this drops those attachments and delivers the rest of the email. Maybe someone can show how to add a message or at least a header.


    Code:
    #BLOCK .PIF, .SCR, OR .EXE ATTACHMENTS
    
    #In /etc/antivirus.exim, before the section:
    
    if not first_delivery
    then
      finish
    endif
    
    
    Add the following:
    
    # Look for .pif, .scr or .exe in files and REMOVE them!
    if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|exe|pif|scr)\")"
    then
    seen finish
    endif
    
    # same again using unquoted filename [content_type_unquoted_fn_match]
    if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|exe|pif|scr))"
    then
    seen finish
    endif
    
    # Look for .pif, .scr or .exe in files and REMOVE them!
    # Quoted filename - [body_quoted_fn_match]
    if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|exe|pif|scr)\")[\\\\s;]"
    then
    seen finish
    endif
    
    # same again using unquoted filename [body_unquoted_fn_match]
    if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|exe|pif|scr))[\\\\s;]"
    then
    seen finish
    endif
    
    but now I just use Clamav.
     
    #3 lloyd_tennison, Nov 4, 2004
    Last edited: Nov 4, 2004
  4. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    exiscan works at the MTA level, and when it bounces a mail with virus inside it, it sends a rejection message with the virus information inside it.

    If you are looking at more functionality on this front, then mailscanner is the way though its not recommended on heavy mail servers since heavy load is associated with mailscanner.
     
  5. lloyd_tennison

    lloyd_tennison Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    698
    Likes Received:
    1
    Trophy Points:
    18
    That message is sent to the sender - not recipient - unless you know how to do both??

    I would not send a bounce message back - as most of the time the sender header is forged and probably does not even exist. Then all the undelivered messeges fill up MY mail queue as they keep retrying....
     
  6. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    There are actually email blocking lists out there for servers that send back bounced infection emails. Just something to be cautious of.
     
  7. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    Sorry i messed that part. Yes it only notifies the sender. Also exiscan works on the MTA level so there is no question of mails filling up your mailq before they never enter that area ;)
     
Loading...

Share This Page