[Exim] Mental Core Dump: Virus Scanning from a system filter…

Top Page

Reply to this message
Author: Marc Haber
To: exim-users
Subject: [Exim] Mental Core Dump: Virus Scanning from a system filter revisited

it has been some time since the implementation of a scanner for
malicious code in e-mail has been discussed here. However, there are
multiple new thoughts, and I'd like to re-hash some part of this

People I have been talking with about scanning for malicious code are
concerned about the following things:

scan should be done once per message, not once per delivery attempt,
and not once per recipient.

a clean message should only be passed through the MTA once.

scan should be done by a child process of exim to solve locking
problems and to prevent problems that can be caused by another daemon

Only documented interfaces to exim and the queue should be used.

A message should be considered malicious if it contains malicious code
or has been found to have content that cannot be unpacked for

If a malicious message has been detected, it should be possible to
perform one or more of the following actions:
- bounce the message
- send an information mail to receipient and/or sender
- delete malicious message entirely
- save malicious message to a dedicated mailbox
- remove the offending part from the message and deliver the rest

It should be optionally possible to forbid certain kinds of
attachments entirely.

In discussions with Tom Kistner and Rainer Link, I have came up with a
solution that I did not yet try in practice for lack of time :-(

We should have a system filter that calls an embedded perl function
that does the scanning. It uses exim -Mvb and exim -Mvh (or the
possibly future exim -Mva [1]) to obtain the message's header and body
and do its scanning business. If the message is classified malicious,
the embedded perl function could create new messages according to
configuration (see (f) above) and subsequently fail delivery in the
system filter, preventing the malicious message from being delivered
in the first place. Probably, a bounce would be created to the sender,
but I'd consider that a feature if the message is failed with "see
notification report sent in a separate e-mail message". If the
function determines a message to be clean, normal delivery can be
continued. Thus, a clean message is only passed through the MTA a
single time.

What are your opinions about this concept?


[1] which would make the code better reuseable for other MTAs as well,
I think

-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber          |   " Questions are the         | Mailadresse im Header
Karlsruhe, Germany  |     Beginning of Wisdom "     | Fon: *49 721 966 32 15
Nordisch by Nature  | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29