Re: [Exim] Exiscan + ClamAV: Notifications?

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMSteve Lamb at <-
MEli at ->
Delete this message
Reply to this message
Author: Kevin Reed
Date:  
To: exim-users
Subject: Re: [Exim] Exiscan + ClamAV: Notifications?
Jae Chang said:
> I just recently setup Exiscan with ClamAV. I would like to be notified if
> an infected email is received, but am having trouble determining the
> best way of going about this. My relevant ACL section contains:
>
>    deny message = This message contains a virus or other harmful content
> ($malware_name)
>       demime = *
>       malware = *

I would change your rule to something like.... 

deny hosts = !not_our_local_or_outgoing_hosts
     message = VIRUS BLOCK: Message contained a Virus ($malware_name)
     log_message = VIRUS BLOCK: ($malware_name)
     demime = *
     malware = *


The hosts like would be used if you have not already forced accept with
the same thing above this rule.

Now setup a simple cron job to scan your log file for "VIRUS BLOCK" and
you have a complete list of when they happened.

You can scan for just that days worth by comparing against the current
date and the date string in the log file.

Or use something like what I have posted here and look for more stuff:

http://exim.got-there.com/forums/viewtopic.php?t=344#344

Now you get a complete report, you can email to yourself or someone else if
you want, or pick it up for a web page which is my preference so that I
can see all the system status. 

> warn message = X-Redirect-To: spambox@???
>      demime = *
>      malware = *

Not sure why you would want to accept or deliver anything that you have
already determined is bad to yourself.

> However, where would I place this line - before or after the above "deny
> message" line?

It would have to be before since the other will deny the message ending
further checks. You would have to use something in your system_filter
to deal with it beyond that though I think.

BTW... I do scanning of the logs on an hourly basis with the results
ending up on a mail server status webpage. All the mail servers are
collected into a single site along with other status messages like Server
backups, error logs etc... This allows all the admins a quick view of
what is going on, lets the help desk see what might have been denied and
why and keeps me from having to login and check the mail logs all day
long.

Most of it is simple greps of log files.

--
Kevin W. Reed - TNET Services, Inc.
Unoffical Exim MTA Info Forums - http://exim.got-there.com/forums


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] Exiscan + ClamAV: Notifications?Re: [Exim] Lsearch Questions->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)