RE: [exim] Let's talk Scanning, Demime, Decode, Malware

Página Inicial
Delete this message
Reply to this message
Autor: Herb Martin
Data:  
Para: exim-users
Tópicos Antigos: RE: [exim] Let's talk Scanning, Demime, Decode, Malward (was: O¨Reilly Exim book useful for Exim 4?)
Assunto: RE: [exim] Let's talk Scanning, Demime, Decode, Malware
> -----Original Message-----
> From: exim-users-bounces@???
> [mailto:exim-users-bounces@exim.org] On Behalf Of Fred Viles
> Sent: Wednesday, July 06, 2005 2:34 PM
> To: exim-users@???


> FYI, here's the exiscan portion of my DATA ACL:
>
>   # Quarantine messages with MIME packaging errors
>   warn    message        = X-quarantine: Serious MIME 
> defect detected ($demime_reason). folder=badmime
>        demime        = *
>        condition    = ${if or { \
>                     {>{$demime_errorlevel}{1}} \
>                     {and { \
>                        {>{$demime_errorlevel}{0}} \
>                        {match 
> {$demime_reason}{exceeds 76}} \
>                      } \
>                     } \
>                   }{yes}{no}}


What's special about 76+? Or more importantly perhaps,
where are these documented?

>   # Quarantine messages with encrypted archives
>   warn  message    = X-quarantine: Encrypted archive 
> attached. folder=exe
>         demime     = *
>         malware        = Encrypted\..*
>   accept
>         demime     = *
>         malware    = Encrypted\..*


This looks useful.

>   # Reject virus infested messages
>   deny  message     = This message contains malware ($malware_name)
>         demime      = *
>         malware     = *

>
> Adding an X-quarantine: header causes a redirect router to
> route the message to the specified maildir folder for admin review.


I don't think that I understand redirect routers --
my method of accomplishing this is to pick the directory
and file name based on such headers in my transport
section (I am already delivering to individual files in
the users folders -- and to a group of "malware catching"
folders):

(I am on Cygwin so some of the following may seem odd; I
don't fully understand it, except for the pathing items
which I re-coded from examples. The rest was straight cut and
paste.)

local_delivery:
  driver = appendfile
  directory = /cygdrive/C/MERCURY/MAIL/${if def:h_X-SuperSpam: \
    {zsuperspam}{${if def:h_X-Spam-Exim: {zspamassassin}{$local_part}}}}
  directory_file = q${base62:$tod_epoch}-$inode.${if def:h_X-SuperSpam: \
    {cnm}{${if def:h_X-Spam-Exim:{cnm}{cnm}}}}
  delivery_date_add
  envelope_to_add
  return_path_add
  initgroups = no
  mode = 0666
  mode_fail_narrower = no
  check_group = no
  check_owner = no


The working result is that each mail either goes to the localpart
user OR a similar malware catching account.

The referenced user folders are the Pop locations for these
users accounts.