RE: [exim] Let's talk Scanning, Demime, Decode, Malware

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Fred Viles
Datum:  
To: exim-users
Betreff: RE: [exim] Let's talk Scanning, Demime, Decode, Malware
On 6 Jul 2005 at 15:11, Herb Martin wrote about
    "RE: [exim] Let's talk Scanning,  De":


| > -----Original Message-----
| > From: exim-users-bounces@???
| > [mailto:exim-users-bounces@exim.org] On Behalf Of Fred Viles
| > Sent: Wednesday, July 06, 2005 2:34 PM
| > To: exim-users@???


Thanks. (I see why you're reluctant to include attributions if this
is the only way LookOut can do it.)

| > FYI, here's the exiscan portion of my DATA ACL:
| > 
| >   # Quarantine messages with MIME packaging errors
| >   warn    message        = X-quarantine: Serious MIME 
| > defect detected ($demime_reason). folder=badmime
| >        demime        = *
| >        condition    = ${if or { \
| >                     {>{$demime_errorlevel}{1}} \


If demime_errorlevel is 2 or greater, or

| >                     {and { \
| >                        {>{$demime_errorlevel}{0}} \
| >                        {match 
| > {$demime_reason}{exceeds 76}} \


If demime_reason is "base64 line length exceeds 76 characters". This
is an level 1 error that I want to include, but not other level 1

| >                      } \
| >                     } \
| >                   }{yes}{no}}
| 
| What's special about 76+?  Or more importantly perhaps,
| where are these documented?


I found the complete list of detected errors, and their associated
error levels, in the source.

| >   # Quarantine messages with encrypted archives
| >   warn  message    = X-quarantine: Encrypted archive 
| > attached. folder=exe
| >         demime     = *
| >         malware        = Encrypted\..*
| >   accept
| >         demime     = *
| >         malware    = Encrypted\..*
| 
| This looks useful.


It's usefull here because we do send and receive legitimate encrypted
ZIPs on occasion. But lotsa virii send themselves around in
encrypted archives, so I didn't want to disable that test in Clam.

| >   # Reject virus infested messages
| >   deny  message     = This message contains malware ($malware_name)
| >         demime      = *
| >         malware     = *
| > 
| > Adding an X-quarantine: header causes a redirect router to 
| > route the message to the specified maildir folder for admin review.
| 
| I don't think that I understand redirect routers --


Redirect routers just replace the recipient address, after which the
new address gets re-routed. The most common example of a redirect
router is the system aliases router.

In this case my quarantine router checks for the presence of the
X-quarantine: header and, if present, extracts the folder name in
expanding data=.

| my method of accomplishing this is to pick the directory
| and file name based on such headers in my transport
| section


That's another way to skin the cat.

|...

- Fred