[Exim] Exiscan v2 problem?

Top Pagina
Delete this message
Reply to this message
Auteur: George R Kasica
Datum:  
Aan: Suresh Ramasubramanian
CC: exim-users
Oude Onderwerpen: [Exim] Re: Strange mainlog entries
Onderwerp: [Exim] Exiscan v2 problem?
On Thu, 1 Nov 2001 21:57:15 +0530, you wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>+++ George R. Kasica [exim-users] <01/11/01 10:18 -0600>:
>> It appears as if its email destined to a local account that doesn't
>> exist and it rapidly deleted...is there any way to get more of a
>> message than what its giving me or to prevent it from even accepting
>> the mail and dropping it on the queue?? I'm thinking maybe the
>> sender_verify and receiver_verify options?? Though how much will that
>> slow things up?
>
>A loop in your filter? Or maybe your antivirus solution uses an alias like
>virustest etc, and that alias is not created (and aliased to root)?

I posted the filter from Nigel to the list, I just switched back to
exiscan rather than the v2 version and it appears to be working
normally now...here is my exiscanv2.cf file...what could I be
missing?? iT appeaes that v2 has some type of problem with looping?



[root@eagle exiscan.new]# more exiscanv2.cf
#
**********************************************************************
# exiscan configuration file
#
# Take the time to read the comments. You will probably need a second
# terminal to find things out, so open one now :)
#
# This is perl code, read 'inline' by exiscan.pl.
#

# ------------------------------------------------------------------
# Path and program locations
#
# exiscan uses several external binaries to do its job. Most of them
# are standard unix utilities which should be present on every
decent
# installation. A download URL is given for the more exotic ones.

# this is where you have put the exiscan package

$basepath="/usr/local/exim/exiscan";

# exims queue directory

$queuedir="/usr/local/exim/spool/input";

# the ripmime executable. as of exiscan 1.0, this is the preferred
# MIME unpacker. Get it at http://www.pldaniels.com/ripmime/
# Thanks to PL Daniels for making this thing public.

$ripmime = "/usr/local/bin/ripmime";

# the reformime executable. Another MIME mail unpacker.
# This is NOT needed if you have defined ripmime above !
# reformime is part of the "maildrop" package (check FreshMeat on
# "maildrop").

$reformime = "<NOT USED>";

# the tnef executable (OPTIONAL)
# get it at http://world.std.com/~damned/software.html
# a very neat utility which can decode Micro$oft's
# MS-TNEF "wrapper" format, typically created by the
# evil EXCHANGE or OUTLOOK programs. YUKK !!
# This will enable exiscan to look into these obsfucated
# mails :) Set this to "0" if you do not want tnef support.

$tnef = "/usr/local/bin/tnef";

# the exim executable

$exim="/usr/local/exim/sbin/exim";


# ------------------------------------------------------------------
#
# Virus Scanner setup
#

# this matrix shows the supported scanners with their respective
# keywords to use in the "$scanner" setting below. The matrix is
VERY
# small right now, as I wait for feedback to include other scanners.
# You can easily support YOUR scanner by using the 'custom' keyword
# and defining the command line flags and the regular expression
# for "virus found" further below. If you do so, PLEASE send me this
# data along with the infos on where to find the scanner (EXACT
product name!)
.
# (Yep, this "matrix" will grow in time .. I hope ;) )

  #    Product                  | Type           | "$scanner" keyword
  #
----------------------------------------------------------------------
  #    McAfee (NAI) uvscan      | command line   | mcafee
  #    Sophos Sweep             | command line   | sophos
  #    Kapersky's AvpDaemon     | daemon         | avpdaemon
  #    NOD32                    | command line   | nod32
  #    RAV Antivirus            | command line   | rav
  #    CUSTOM                   | command line   | custom


$scanner="sophos";

# By using the 'custom' scanner keyword, you can define your own
scanner.
# You'll have to make sure to edit the command line flags for the
"custom"
# scanner type in the '$scannerflags' setting below.
# HINT: it is not possible to define "deamon" type scanners with the
"custom"
# method.

# If you use a "command line" type scanner, set this to the virus
# scanner executable (full path + executable).
# If you use a "daemon" type scanner, this is the path and filename
# of the UNIX socket used to communicate with the daemon.

$scannerex="/usr/local/bin/sweep";


# Scanner command line flags
# these are the command line flags for the virus scanners defined
above.
# You MAY have to edit these because the vendors often change
command line
# flags even between minor versions .... sigh.
#
# You may have to check the basedir setting for the nod32 scanner
type here.
#
# NOTE: This setting is not needed and ignored for "daemon" type
scanners.
#
# IMPORTANT: you MUST include the <DIRECTORY> placeholder, it will
be replaced
# with the directory location the scanner should recursively sweep.

  %scannerflags = (
                      'mcafee'     => '--noboot --unzip -r
<DIRECTORY>',
                      'sophos'     => '-all -archive -ss <DIRECTORY>',
                      'nod32'      => '-heursafe
-basedir=/usr/local/nod32/nod32
 -all <DIRECTORY>',
                      'rav'        => '-all -listall -mail -smart
-unzip <DIRECT
ORY>',
                      'custom'     => 'YOUR CMDLINE FLAGS HERE IF
USING custom K
EYWORD'
                  );



# Scanner result regexp
# this is the regular expression that must match the scanners output
when a vi
rus
# was FOUND. If you roll your own with the 'custom' keyword, make
sure it real
ly
# only matches when a virus was found. Both STOUT and STDERR are
searched for
this
# expression. NOTE: this is a perl regular expression, sans the //
delimiters.
It
# is matched case-sensitively on a single line. For help on perl
regular expre
ssions,
# type 'man perlre' on your local UNIX system ;)
#
# NOTE: This setting is not needed and ignored for "daemon" type
scanners.

  %scannerregexp = (
                      'mcafee'     => 'Found',
                      'sophos'     => 'found',
                      'nod32'      => ' - ',
                      'rav'        => 'Infected: [1-9]',
                      'custom'     => 'YOUR REGEXP HERE IF USING
custom KEYWORD'
                   );



# ------------------------------------------------------------------
#
# Content Filter Setup
#
# The content filter can do two things:
#
# 1. block mails by file attachment extensions
# 2. block mails by regular expression
#

# Set this to "1" if you want file attachment extension filtering
#
# Use this feature to block file extensions which are typically used
by
# viruses, trojans and worms

$filter_extensions = 1;


# This is the list of file attachments that should be blocked.
Please
# note that "exe" is not in my default list given here !

@reject_extensions = ('com','pif','eml','scr','lnk','vbs');


# Set this to "1" if you want regular expression filtering
#
# Please note that you should only use this to catch very new worms
or
# viruses for which your scanner vendor has not updated his patterns
yet.
# It is NOT wise to blow up this filter too much since you may get
false
# positives. When your virus scanner can detect a virus, please do
not
# include detection here.

$filter_expressions = 1;


# This is the list of regular expressions to block
# NOTE: these are EXAMPLES to show you how to use the feature. You
should
# remove them since these are old worms, every virus scanner should
be
# able to handle them. These examples only contain simple strings,
but
# since you can include perl regular expressions, you MUST escape
("\")
# perl's regexps control characters if you wish to use them
literally !
# (for example, to check for a literal "$", you must write "\$").
Check
# out "man perlre" for more explanations ...

  @reject_regexps = (
                       # SirCam
                       'I send you this file in order to have your
advice',
                       # Magistr@MM
                       'CFGWIZ32\.EXE'
                    );



# ------------------------------------------------------------------
#
# Security and Features configuration

# the crypt() salt
# set this to a 2-character string of your liking.
# it is used to determine if a message was REALLY already scanned
# by our system. This prevents attackers from faking a X-Scanner
line
# in the mail header. Yes, i KNOW that this is not 100% security,
but
# unless you are the admin of Fort Knox it should be sufficient.

$salt = "fo";


# exiscan "forgets" about already scanned mail ID's every
$resetinterval
# seconds. This should be set to the value of the exim dequeue
interval
# (if you ran exim with a flag of -q1h, then you should set "3600"
here.)

$resetinterval="300";


# scankids - the number of parallel scanner processes to fork.
# exiscan will fork a number of scanner processes to unpack and scan
# mail. This speeds up the scanning process tremendously. You can
# configure the number of those processes here. For smaller systems,
# 2 processes will be enough. Bigger systems may need 5-10
processes,
# depending on the mail throughput. WARNING: you can set very high
# numbers here, but you'd better have the hardware to support it ...

$scankids=10;


# queuekids - the number of dequeuing processes to fork.
# exiscan forks children to handle the dequeueing of messages. The
number
# of $queuekids should be in the range of 5-30. Higher numbers are
well
# possible, but you should have the RAM to support them ...

$queuekids=30;


# sleepdelay - the number of seconds to sleep() between loop runs.
# exiscan (the parent and the children) will spend idle time between
# each of their superloop runs to decrease the load of the server.
# Lower values mean faster reaction times, increased values reduce
the
# load significantly. I would recommend to set leave this setting at
one
# second. For very large mail systems, you may have to RAISE the
value to
# decrease load.

$sleepdelay = 1;

# double-unpack SMIME wrapped messages ? such messages are usually
# "double-wrapped" either in MIME or MS-TNEF so we need a second
# unpack run. If you want max speed, set this to 0.
# If you want more security, set this to 1 (default).

$unpack_smime = 1;


# the email addy that gets notification about found viruses. mind
the escaped
'@' !
#
# IMPORTANT: this must be a full-qualified address, and this address
# should not be rewritten on your system ! Explanation is that
# exiscan will not work on messages which are sent to the postmaster
ONLY, to
# prevent mail loops, since exiscan's admin notification mails
# contain the respective virus themselves ! ;)
# So, if you get a mail loop on "virus found", please check this
setting.

$postmaster="postmaster\@netwrx1.com";


# the "from" name and address used when sending notifications to
# users and the postmaster. You can also set it to the same
# address as the $postmaster setting.

$fromaddress="postmaster\@netwrx1.com";


# exiscan has 2 methods of sending notification emails:
#
# - By SMTP. Set $smtphost to the IP address of the host
# where exiscan can deliver its notification mail.
# Normally, you would use the localhost (127.0.0.1).
#
# - By local delivery. Set $smtphost to "local".
# exiscan will then call a local binary to deliver mail.
# This is the preferred method. Some systems seem to have
# problems with Perl's SMTP::Send

$smtphost="local";


# set this to "1" if you want to notify the sender of a virus
infected mail
# "0" switches the feature off
# NOTE: to avoid mail loops originating from auto-reply viruses such
# as 'emanuel', a sender notification will be sent only once per
# $resetinterval and recipient.

$sender_notification = 1;


# set this to "1" if you want to notify the recipients of a virus
infected mai
l
# "0" switches the feature off

$rcpt_notification = 1;


# Customize the text used in the notification to the sender and
recipients.
# You can use the following variables:
# \n -> a newline
# \$from -> the sender of the message (<sender@???>)
# \@to -> space separated list of recipients
# \$subject -> the subject. may contain funky quoted-printable
characters.
# \$postmaster -> the postmaster's email address
# \@scanneroutput -> the output of the virus scanner
# The "\" is necessary as this text will be eval'ed later ..
# the "return" must also stay in place ...
#
# WARNING: if you don't know what you are doing here,
# please leave the default texts in place. Thanks :)

# these are the texts for infections found by the virus scanner
$sender_notification_text = "return \"Your EMail with subject
'\$subject', sen
t to the recipient(s)\n\n\@to\n\ncontains a virus or other harmful
content. The
message has NOT been delivered to the recipients.\nPlease contact the
postmaster
(mailto:\$postmaster) to resolve this issue.\n\n\@scanneroutput\"";
$rcpt_notification_text = "return \"An EMail directed to you, with
subject '\$
subject',\nfrom \$from, contained a virus or other harmful
content.\nDo NOT repl
y to this e-mail.\nContact the original sender of the message
(mailto:\$from) to
resolve this issue.\n\n\@scanneroutput\"";

# this is the bounce text for unwanted content (file extensions)
$content_notification_text = "return \"Your EMail with subject
'\$subject', se
nt to the recipient(s)\n\n\@to\n\ncontains a file attachment of type
'\$ftype'.
Our organization does not accept files of this type by email. The
message has NO
T been delivered to the recipients.\nIf you have further questions,
please conta
ct the postmaster (mailto:\$postmaster).\n\"";

# these are the texts for matched regexps (content filter 2)
$regexp_notification_text = "return \"Your EMail with subject
'\$subject', sen
t to the recipient(s)\n\n\@to\n\ncontains a suspicious string
('\$fstring').\nTh
e message has NOT been delivered to the recipients.\nPlease contact
the postmast
er (mailto:\$postmaster) to resolve this issue.\n\"";

# A common footer for both notification types. This text will be put
# at the end of notification emails. You can use it to add your
# company footer or anything else.

$notification_footer = "\n\n-- \nMessage generated by exiscan
(http://duncanth
rax.net/exiscan/)\n";

# the syslog facility to use. Leave it as it is to get output in
/var/log/mail
(or similar)

$facility = LOG_MAIL;


# ------------------------------------------------------------------
#
# Optional Path Configuration
# You may adjust these settings too but it's not necessary if you
use
# the standard exiscan directory layout

# directory where mails are unpacked

$checkdir="$basepath/checkqueue";


# where to put virus infested mails

$virusdir="$basepath/virusmails";


# ------------------------------------------------------------------
#
# log level. exiscan has 3 log levels:
# 0 - only logs startup, termination, errors and viruses
# 1 - logs useful stuff (one entry for each scanned mail w/ result)
# 2 - logs more stuff (good as debug mode)

$loglevel = 1;


# end of configuration file
# ------------------------------------------------------------------
# leave this return in place ;)
return(1);

George, MR. Tibbs, Nazerene & The Beast Kasica(8/1/88-3/19/01)
Jackson, WI USA
georgek@???
http://www.netwrx1.com/georgek
ICQ #12862186

      Zz
       zZ
    |\ z    _,,,---,,_
    /,`.-'`'    _   ;-;;,_
   |,4-  ) )-,_..;\ (  `'_'
  '---''(_/--'  `-'\_)