Exim/Exiscan/ClamAV reject viruses and notify?

The first request is always a bad idea, as most viruses no use their own built-in SMTP server and send email out with forged headers, so your bounces will be going to completely innocent people, making the load on email worse.

As to the second request, I don't know for sure, hopefully someone with exiscan experience will come along. I would not be surprised if this type of configurability is available, though. It is certainly easy to do with MailScanner

 

I cannot find where I got this from - (I know try to keep all the sources from this knid of stuff) but this drops those attachments and delivers the rest of the email. Maybe someone can show how to add a message or at least a header.

Code:

#BLOCK .PIF, .SCR, OR .EXE ATTACHMENTS

#In /etc/antivirus.exim, before the section:

if not first_delivery
then
  finish
endif


Add the following:

# Look for .pif, .scr or .exe in files and REMOVE them!
if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|exe|pif|scr)\")"
then
seen finish
endif

# same again using unquoted filename [content_type_unquoted_fn_match]
if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|exe|pif|scr))"
then
seen finish
endif

# Look for .pif, .scr or .exe in files and REMOVE them!
# Quoted filename - [body_quoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|exe|pif|scr)\")[\\\\s;]"
then
seen finish
endif

# same again using unquoted filename [body_unquoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|exe|pif|scr))[\\\\s;]"
then
seen finish
endif

but now I just use Clamav.

 

exiscan works at the MTA level, and when it bounces a mail with virus inside it, it sends a rejection message with the virus information inside it.

If you are looking at more functionality on this front, then mailscanner is the way though its not recommended on heavy mail servers since heavy load is associated with mailscanner.

 

That message is sent to the sender - not recipient - unless you know how to do both??

I would not send a bounce message back - as most of the time the sender header is forged and probably does not even exist. Then all the undelivered messeges fill up MY mail queue as they keep retrying....

 

There are actually email blocking lists out there for servers that send back bounced infection emails. Just something to be cautious of.

 

Sorry i messed that part. Yes it only notifies the sender. Also exiscan works on the MTA level so there is no question of mails filling up your mailq before they never enter that area