Gossamer Forum
Home : Products : Gossamer Mail : Discussion :

ClamAV and Attachments Scanning?

Quote Reply
ClamAV and Attachments Scanning?
Hi.

ClamAV is becoming most popular and has got an ever increasing userbase. It's fine at having mailserver set to reject message with virus/malaware at SMTP level. Using local SMTP also guarantees that GM users cannot deliver virus infected message to each other though with following drawbacK

"local SMTP does not send any bounce notification to the infected message sender"

Is there a thought of having some sort of Virus Scanning using ClamAV (or for that matter other Virus Scanners) for scanning the attachments being uploaded?

TIA
Anup
Quote Reply
Re: [anup123] ClamAV and Attachments Scanning? In reply to
Hey Anup,

It looks like CPAN has a Perl module for this: File::Scan::ClamAV. Looks like it would be an easy Plugin to make too. I'll see if I can put it together after I get done with the one I'm working on now.

~Charlie
Quote Reply
Re: [anup123] ClamAV and Attachments Scanning? In reply to
I'd just like to add, that with all the viruses going around which have forged headers, turning on virus notifications is a bad idea. It just annoys the hell out of everyone who gets them and is a waste of bandwidth.

Adrian
Quote Reply
Re: [brewt] ClamAV and Attachments Scanning? In reply to
Yeah, it does. I must get at least 3 or 4 a day now :/

~Charlie
Quote Reply
Re: [brewt] ClamAV and Attachments Scanning? In reply to
Hi.

With remote smtp, virus infected messages being refused delivery to server, the bounce is handled at the senders server level so no worries of build up of mailQ etc as it's the senders server which is handling the bounces (if they do it)

Problem comes when it's a local delivery issue. Say GM users to GM users on same server with local smtp configured in GM. Fine, the recepient would not get an infected message, but at the same time the GM user sending the message does not ever come to know that the mail was not delivered as it was virus infected (most of the time attachments).

In order to take care of above scenario partly, would it not be fine that the attachments being uploaded by a GM user is scanned for Viruses? Would it be OK in the above setup where Virus Notifications are not being sent by server after accepting the Message as such messages are never accepted for delivery.

TIA
Anup
Quote Reply
Re: [anup123] ClamAV and Attachments Scanning? In reply to
IMHO, for most mail server, virus infected mail should be silently dropped since very few legitimate emails contain viruses - the other 99% being emails sent by worms with forged headers. This means all these other people are getting these bounce/virus notification emails when they aren't even infected. This is extremely annoying and not very effective (not to mention confuses the people who receive these emails).

On the other hand, dropping legitimate emails that contain viruses is a bad thing, but email has never been a guaranteed delivery sort of deal.

I think the best solution would be to be able to be able to know what type of virus it was. If it was a worm (one that spreads by automatically sending itself to other people through email), then it should silently drop it. If it were some other type of virus then a bounce/notification could be sent.

Yes, I think attachment scanning on upload would be a good thing to have. That would prevent any infected email from coming from your server.

Adrian
Quote Reply
Re: [brewt] ClamAV and Attachments Scanning? In reply to
Hi.

Following is what i have for Exim4.34 with exiscan patch (replacing Mailscanner which unnecessarily increased server load and built up mailQ):

##### clamav ACL, reject virus infected mails with proper error
deny message = This message contains malformed MIME ($demime_reason).
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content \ ($malware_name)
demime = *
malware = *
deny message = This message has been rejected because it has\n\
a potentially executable attachment $1\n\
This form of attachment has been used by\n\
recent viruses or other malware.\n\
If you meant to send this file then please\n\
package it up as a zip file and resend it.
demime = ade:adp:bas:bat:chm:cmd:com:cpl:crt:eml:exe:hlp:hta:inf:ins:isp:jse:lnk:mdb:mde:msc:msi:msp:pcd:reg:scr:sct:shs:url:vbs:vbe:wsf:wsh:wsc
##### end clamav ACL

This takes care of *No Virus Infected Messages* being able to be delivered to server.

Yes attachment scanning would at least ensure that GM user on server is not responsible for any virus infected messages.

Anup
Quote Reply
Re: [anup123] ClamAV and Attachments Scanning? In reply to
In Reply To:
This takes care of *No Virus Infected Messages* being able to be delivered to server.

My point is that I hate mail servers which send these notifications to me even though it was sent to them via some worm on someone else's computer.

Adrian
Quote Reply
Re: [anup123] ClamAV and Attachments Scanning? In reply to
Hey Anup,

Give this Plugin a try. I don't have any virus infected files to test with but when I switched around the results of the scan it seemed to block legit files so it should work in theory :) If it works for you I will need to clean up the error messages and add an admin option to set the ClamAV port.

~Charlie
Quote Reply
Re: [Chaz] ClamAV and Attachments Scanning? In reply to
Hi.

Worked As Expected Right In The First Go. I tested with EICAR File and it detected and refused upload. That's great. I have put it in place and it's online now :-)

As an extension, Just check if the following could be a *Feature* of this.
Say a GM user has already recd a mail which had virus but went undetected due to *perhaps* no virus signature available on the date but becomes available later on. The GM user (Say Me) is forwaring the same mail To You. While Fwding, the Infeted attachment is attached to mail. Could it be that all attachments whether being uploaded afresh or is a part of mail being forwarded is also scanned. This could be asking for too much but even in it's present state, it really serves the purpose where a GM user cannot be the *initiator* of transmitting a virus infected mail

From my end, it works great. That was a pretty fast plugin i must say and end it with Thank You Smile

[EDIT] Aah I forgot to mention : Is it possible in the Alert Message To COntain The Name Of The Virus Detected On Scan [/EDIT]

Anup

Last edited by:

anup123: Jul 13, 2004, 12:59 AM
Quote Reply
Re: [brewt] ClamAV and Attachments Scanning? In reply to
Hi.

I think Hotmail doesn't even process bounce messages. So it's upto the Admin of the remote server to see what they do with the bounce messages. I tried delivering a virus infected messages from hotmail to my account on my server (a virus which McAfee Scanner on hotmail could not detect) and the message never reached me but at the same time hotmail never really bothered to let me have the bounce message.

Same when tried from yahoo though let me have the bounce message from Yahoo. This is how the my server logfile entry looks for a infected message:

2004-07-13 13:05:50 1BkHpJ-0001hD-Nv H=(mail.somedomain.com) [xxx.xx.xxxx.xxxx] F=<user@somedomain.com> rejected after DATA: This message contains a virus or other harmful content (Worm.Mydoom.Gen-1)


Thanks
Anup
Quote Reply
Re: [Chaz] ClamAV and Attachments Scanning? In reply to
Hi.

Yes the scan mentions the "Virus Detected Name" Fine. Tried With Few Attachments And It Worked Fine. Glad to say that it detected Virus In A Zip File Which McAfee on Hotmail Still refuses to scan as it says that the file is "Password Protected" so it cannot be scanned.....

A Qstn:

Can this be integrated also with the Fileman mod that you had done:

http://www.gossamer-threads.com/...i?post=264893#264893

Thnx.
Anup

Last edited by:

anup123: Jul 13, 2004, 5:43 AM
Quote Reply
Re: [anup123] ClamAV and Attachments Scanning? In reply to
Quote:
Can this be integrated also with the Fileman mod that you had done:

http://www.gossamer-threads.com/...i?post=264893#264893

I don't think FileMan has hooks yet. You can do it but it would need to be hard coded into fileman.

~Charlie
Quote Reply
Re: [anup123] ClamAV and Attachments Scanning? In reply to
Quote:
From my end, it works great. That was a pretty fast plugin i must say and end it with Thank You Smile

[EDIT] Aah I forgot to mention : Is it possible in the Alert Message To COntain The Name Of The Virus Detected On Scan [/EDIT]

Cool, let me polish it up then I'll post the final in the Plugins area. Adding the virus name should be possible.

Thanks,
Charlie
Quote Reply
Re: [Chaz] ClamAV and Attachments Scanning? In reply to
Here's the final version: Post #269699

Let me know if you spot any problems.

~Charlie
Quote Reply
Re: [Chaz] ClamAV and Attachments Scanning? In reply to
Hi Charlie.

It worked like charm ... had to restart httpd after uninstall (old) and install (new).

How could the color of the Message be changed to Red from Green which is now (Just some cosmetics Wink )

Anyway, it's great and i think could also be done up for all attachments handling (like on GF/Links etc)....

Thanks Once again Smile

Anup

Last edited by:

anup123: Jul 21, 2004, 2:34 PM
Quote Reply
Re: [anup123] ClamAV and Attachments Scanning? In reply to
Quote:
How could the color of the Message be changed to Red from Green which is now (Just some cosmetics Wink )

Hmm, good point. It should be an error message instead of a regular message. I'll see if I can't figure that out.

Quote:
Anyway, it's great and i think could also be done up for all attachments handling (like on GF/Links etc)....

I was thinking along those lines already. I'll see if I can get it working for GForum but I don't have Links.

Quote:
Thanks Once again Smile

No worries.

~Charlie
Quote Reply
Re: [Chaz] ClamAV and Attachments Scanning? In reply to
Hi

Quote:
I was thinking along those lines already. I'll see if I can get it working for GForum but I don't have Links.

I have a working copy of LinksSQL (though not using any Attachments Feature So Far). Do let me know whenever you would need to try out.

Thanks
Anup