[exim] How to debug malware

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Nigel Wade
Dátum:  
Címzett: Exim users list
Tárgy: [exim] How to debug malware
Hi,

I'm in the process of upgrading our mail server, and part of that process is
upgrading Exim from 4.30 to 4.54. I am currently trying to configure Exim to do
virus scanning using Sophos/sweep.

In the data ACL I have a malware condition which should be finding a virus (I'm
sending it the eicar test virus), but it's not getting picked up. The ACL is
getting executed, but I can't see what it's actually doing.

The ACL in question is:

acl_check_data:

   # Reject empty messages
   deny
         message = Empty message rejected.
         condition = ${if < {$message_size} {2} {1} {0}}


#
# Now do virus scanning with Sophos.
#

   # for locally generated messages, deny virus and send the user a message.
   deny
         hosts = +relay_from_hosts
         message = Your message contains a virus ($malware_name).
         malware = *


   # for external messages with virus send a different message
   deny
         message = The message was rejected because it contains a virus
         malware = *



and the debug output I get is:

15:50:43  9955 using ACL "acl_check_data"
15:50:43  9955 processing "deny"
15:50:43  9955 expanding: $message_size
15:50:43  9955    result: 915
15:50:43  9955 expanding: 2
15:50:43  9955    result: 2
15:50:43  9955 condition: < {$message_size} {2}
15:50:43  9955    result: false
15:50:43  9955 expanding: 1
15:50:43  9955    result: 1
15:50:43  9955 skipping: result is not used
15:50:43  9955 expanding: 0
15:50:43  9955    result: 0
15:50:43  9955 expanding: ${if < {$message_size} {2} {1} {0}}
15:50:43  9955    result: 0
15:50:43  9955 check condition = ${if < {$message_size} {2} {1} {0}}
15:50:43  9955                 = 0
15:50:43  9955 deny: condition test failed
15:50:43  9955 processing "deny"
15:50:43  9955 check hosts = +relay_from_hosts
15:50:43  9955 cached yes match for +relay_from_hosts
15:50:43  9955 cached lookup data = NULL
15:50:43  9955 host in "+relay_from_hosts"? yes (matched "+relay_from_hosts" - 
cached)
15:50:43  9955 check malware = *
15:50:43  9955 expanding: From ${sender_address} ${tod_bsdinbox}
15:50:43  9955
15:50:43  9955    result: From nmw@??? Fri Nov 25 15:50:43 2005
15:50:43  9955
15:50:43  9955 expanding: ${sender_address}
15:50:43  9955    result: nmw@???
15:50:43  9955 condition: def:received_for
15:50:43  9955    result: false
15:50:43  9955 expanding: $received_for
15:50:43  9955    result:
15:50:43  9955 skipping: result is not used
15:50:43  9955 expanding: ${if def:received_for{$received_for}}
15:50:43  9955    result:
15:50:44  9955 deny: condition test failed
15:50:44  9955 processing "deny"
15:50:44  9955 check malware = *
15:50:44  9955 deny: condition test failed


so I don't know whether exim has actually run sweep or not.

Is there any way to increase the debugging output for malware, so I can see what
malware test exim is actually running, and on what? The command I'm using is:

exim -bd -d+all


The same test works perfectly on the existing mail server, running Exim 4.30.
Running sweep manually on email files containing viruses also works, so I don't
think it's sweep that's at fault.


-- 
Nigel Wade, System Administrator, Space Plasma Physics Group,
             University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw@???
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555