David Snowden wrote:
> Hello,
>
> I am looking at adding the Sanesecurity signatures to ClamAV
> (http://www.sanesecurity.com/clamav/), but I want the detection of such
> signatures to increase the SpamAssassin score rather than for Exim to reject
> the message at the DATA ACL stage (which is what happens for the basic
> ClamAV signatures).
>
> I thought it might be possible to use an "add_header" in the ACL
> prior to the point where SpamAssassin is invoked, but on reading the
> manual it appears that the header does not actually get added until *after*
> the ACL, and this would certainly explain why the rule I added to
> SpamAssassin does not seem to be firing.
>
> So, I'm looking for some advice on other ways of achieving the same effect.
> At one extreme I could reject *all* ClamAV signature matches, but the
> feeling on the uk-mail-managers mailing list is that it is better just to
> tag messages that match the Sanescurity signatures.
>
> For the record, I'm using Exim 4.66, SpamAssassin 3.1.7a and
> ClamAV 0.90.1.
>
> Thanks,
>
> Dave
>
>
Header handling has it's own set of rules, and differences in acl's and routers
as well.
acl_m(n) is your friend here.
Use one or more to store anything from a flag bit to a longish string.
Concatenated strings, or numerical values, incremented/decremented, even.
Act on whatever you are carrying about as early as the next acl, or as late as
router/transport sets, since acl_m's are stored in the queue with each message.
DO add a header no later than delivery if you might need it for debugging a week
later, as the acl_m will be long-gone, but the header will be part of the very
message the luser is griping about. You can also logwrite or log_message the
contents of an acl when and where it makes sense w/o destroying it.
HTH
Bill