Re: [exim] Fake ACCEPT (ahem)

Góra strony
Delete this message
Reply to this message
Autor: Michael Sprague
Data:  
Dla: exim-users
Temat: Re: [exim] Fake ACCEPT (ahem)
On Thu, Aug 23, 2007 at 11:56:20AM +0100, Mike Cardwell wrote:
> Marcin Krol wrote:
>
> >>>> But why would you want to accept and silently discard mail? If the mail
> >>>> contains a virus, don't you think it's better that the sender is told so?
> >>>>
> >>> No! That causes collateral spam! Think faked sender...
> >>>
> >> Not if you're rejecting during the SMTP transaction, which is I think
> >> what was being discussed originally.
> >>
> > Correct, *but the default clamav message saying so is unreadable*.
> > Default clamav reject message is not customizable very much, not enough
> > to make it vary and indicate CLEARLY AND IN BIG LETTERS it was phishing
> > / it was spam (clamav used to filter out only viruses so it was not a
> > problem).
> >
> > So I need to replace it.
> >
> > So I need to blackhole the message myself (do accept, not deny) and
> > generate another message myself and send it during SMTP time with 5xx code.
> >
> > This is complicated, nevertheless, this is an optimum solution which I seek.
>
> You're getting the terminology wrong, which is confusing matters. What
> you *want* to do is reject during SMTP, and send a rejection message
> depending on which signature is matched. You can do this with something
> along these lines:
>
> deny malware = *
>       message = ${if match{$malware_name}\
>                           {\N\.Sanesecurity\.\N}\
>                           {Blocked Phishing attempt}\
>                           {Blocked Virus}\
>                 }

>
> That will return "550 Blocked Phishing attempt" if it's a Sanesecurity
> signature, and "550 Blocked Virus" otherwise. I don't know if the logic
> of: ".Sanesecurity." is phishing and everything else is a virus, is
> correct; but the config snippet is a good representation of what you
> want to do.


I do something similar and parse out the 'type' of malware based on the
$malware_name. Sanesecurity classifies things based on name. The URL
below is the page the explains the different types they use:

http://www.sanesecurity.com/clamav/docs.htm

mikeS

-- 
Michael F. Sprague     | mfs@???
http://www.saneinc.net | System and Network Engineering (SaNE), Inc
Providers of the SpamOnion anti-spam service