Exim/Exiscan/ClamAV reject viruses and notify?

viet

Member
Jun 21, 2004
9
0
151
Is there a way for me to configure Exim to reject incoming viruses detected by clamav, but also send a notification e-mail to the receipient with information about the rejection? Or perhaps there is a way to make it work like spamassassin where a report gets sent to the user, but instead of attaching the original message, have it send a version of e-mail with the virus/attachment removed.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
The first request is always a bad idea, as most viruses no use their own built-in SMTP server and send email out with forged headers, so your bounces will be going to completely innocent people, making the load on email worse.

As to the second request, I don't know for sure, hopefully someone with exiscan experience will come along. I would not be surprised if this type of configurability is available, though. It is certainly easy to do with MailScanner ;)
 

lloyd_tennison

Well-Known Member
Mar 12, 2004
697
1
168
I cannot find where I got this from - (I know try to keep all the sources from this knid of stuff) but this drops those attachments and delivers the rest of the email. Maybe someone can show how to add a message or at least a header.


Code:
#BLOCK .PIF, .SCR, OR .EXE ATTACHMENTS

#In /etc/antivirus.exim, before the section:

if not first_delivery
then
  finish
endif


Add the following:

# Look for .pif, .scr or .exe in files and REMOVE them!
if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|exe|pif|scr)\")"
then
seen finish
endif

# same again using unquoted filename [content_type_unquoted_fn_match]
if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|exe|pif|scr))"
then
seen finish
endif

# Look for .pif, .scr or .exe in files and REMOVE them!
# Quoted filename - [body_quoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|exe|pif|scr)\")[\\\\s;]"
then
seen finish
endif

# same again using unquoted filename [body_unquoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|exe|pif|scr))[\\\\s;]"
then
seen finish
endif
but now I just use Clamav.
 
Last edited:

anand

Well-Known Member
Nov 11, 2002
1,432
1
168
India
cPanel Access Level
DataCenter Provider
viet said:
Is there a way for me to configure Exim to reject incoming viruses detected by clamav, but also send a notification e-mail to the receipient with information about the rejection? Or perhaps there is a way to make it work like spamassassin where a report gets sent to the user, but instead of attaching the original message, have it send a version of e-mail with the virus/attachment removed.
exiscan works at the MTA level, and when it bounces a mail with virus inside it, it sends a rejection message with the virus information inside it.

If you are looking at more functionality on this front, then mailscanner is the way though its not recommended on heavy mail servers since heavy load is associated with mailscanner.
 

lloyd_tennison

Well-Known Member
Mar 12, 2004
697
1
168
anand said:
exiscan works at the MTA level, and when it bounces a mail with virus inside it, it sends a rejection message with the virus information inside it.
That message is sent to the sender - not recipient - unless you know how to do both??

I would not send a bounce message back - as most of the time the sender header is forged and probably does not even exist. Then all the undelivered messeges fill up MY mail queue as they keep retrying....
 

haze

Well-Known Member
Dec 21, 2001
1,540
3
318
There are actually email blocking lists out there for servers that send back bounced infection emails. Just something to be cautious of.
 

anand

Well-Known Member
Nov 11, 2002
1,432
1
168
India
cPanel Access Level
DataCenter Provider
lloyd_tennison said:
That message is sent to the sender - not recipient - unless you know how to do both??

I would not send a bounce message back - as most of the time the sender header is forged and probably does not even exist. Then all the undelivered messeges fill up MY mail queue as they keep retrying....
Sorry i messed that part. Yes it only notifies the sender. Also exiscan works on the MTA level so there is no question of mails filling up your mailq before they never enter that area ;)