RE: [exim] Let's talk Scanning, Demime, Decode, Malware

Pàgina inicial
Aquest missatge és part del següent fil:
Ml'arbre de fils complet ordenat per data
MHerb Martin en <-
 
Delete this message
Reply to this message
Autor: Fred Viles
Data:  
A: exim-users
Assumpte: RE: [exim] Let's talk Scanning, Demime, Decode, Malware
On 6 Jul 2005 at 15:11, Herb Martin wrote about
    "RE: [exim] Let's talk Scanning,  De":


| > -----Original Message-----
| > From: exim-users-bounces@???
| > [mailto:exim-users-bounces@exim.org] On Behalf Of Fred Viles
| > Sent: Wednesday, July 06, 2005 2:34 PM
| > To: exim-users@???

Thanks. (I see why you're reluctant to include attributions if this
is the only way LookOut can do it.) 

| > FYI, here's the exiscan portion of my DATA ACL:
| > 
| >   # Quarantine messages with MIME packaging errors
| >   warn    message        = X-quarantine: Serious MIME 
| > defect detected ($demime_reason). folder=badmime
| >        demime        = *
| >        condition    = ${if or { \
| >                     {>{$demime_errorlevel}{1}} \

If demime_errorlevel is 2 or greater, or 

| >                     {and { \
| >                        {>{$demime_errorlevel}{0}} \
| >                        {match 
| > {$demime_reason}{exceeds 76}} \

If demime_reason is "base64 line length exceeds 76 characters". This
is an level 1 error that I want to include, but not other level 1 

| >                      } \
| >                     } \
| >                   }{yes}{no}}
| 
| What's special about 76+?  Or more importantly perhaps,
| where are these documented?

I found the complete list of detected errors, and their associated
error levels, in the source. 

| >   # Quarantine messages with encrypted archives
| >   warn  message    = X-quarantine: Encrypted archive 
| > attached. folder=exe
| >         demime     = *
| >         malware        = Encrypted\..*
| >   accept
| >         demime     = *
| >         malware    = Encrypted\..*
| 
| This looks useful.

It's usefull here because we do send and receive legitimate encrypted
ZIPs on occasion. But lotsa virii send themselves around in
encrypted archives, so I didn't want to disable that test in Clam. 

| >   # Reject virus infested messages
| >   deny  message     = This message contains malware ($malware_name)
| >         demime      = *
| >         malware     = *
| > 
| > Adding an X-quarantine: header causes a redirect router to 
| > route the message to the specified maildir folder for admin review.
| 
| I don't think that I understand redirect routers --

Redirect routers just replace the recipient address, after which the
new address gets re-routed. The most common example of a redirect
router is the system aliases router.

In this case my quarantine router checks for the presence of the
X-quarantine: header and, if present, extracts the folder name in
expanding data=.

| my method of accomplishing this is to pick the directory
| and file name based on such headers in my transport
| section

That's another way to skin the cat.

|...

- Fred






Aquest missatge es va enviar a les següents llistes de correu:
Exim-users
Informació sobre la llista de correu | Missatges propers		<-Re: [exim] Performance ProblemRe: [exim] Re: Pobox and SPF->
Tahini and Hummus and Cumin Development Archives administrat per cumin AdminsLurker (versió 2.3)