« K-State … I’m baaaack!
South park fad »

Virus Mails Galore!

I’m sure most of you all are getting annoyed at most of these recent virus emails (especially if you aren’t able to use clamav or something similar). Thanks to lcars, I’ve got a crude simple procmail rule you can use that will catch most of these.


:0
* ^Content-type: (multipart/mixed|multipart/report)
{
:0 B
*^Content-Disposition: (attachment|inline)
*filename=".*\.(ocx|vbs|wsf|shs|exe|com|bat|chm|pif|vbe|hta|scr|zip)"
{
:0
.viruses/
}
}

If you still want to get those attachments but just axe these viruses, you can probably add another rule that matches the first line of the attachment. This is far from perfect, but its definately gotten my mailbox under control. Infrastructure is considering getting clamav on our dev box, so look for that in the near future. We’ll only be using it if the load on the box isn’t too bad from it.

Cheers!

This entry was posted on Wednesday, May 4th, 2005 at 8:05 am UTC and is filed under Gentoo. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “Virus Mails Galore!”

  1. slarti Says:
    May 4th, 2005 at 9:18 am UTC

    ClamAV provides a daemon, similar to SpamAssassin’s spamd, that should reduce system load a *little*. I haven’t done any serious tests, but I should guess that just checksumming attached files against a list of viruses is going to be a lot less intensive than, say, the bayesian analysis of SpamAssassin.

    Also, how would you set this up? Done before delivery to mailboxes, or leave it up to the users and let them set it up in their procmailrc or similar?

    mail-filter/clamassassin has a USE flag for using clamd that would be perfect for the latter. It provides a spamassassin-like interface for clamav. It’s possible to call clamdscan from procmailrc and use it that way, but it’s a bit of a pain.

  2. ramereth Says:
    May 4th, 2005 at 9:21 am UTC

    We’re going to leave this optional as much as we can so you can use procmail to say what you want to do with it. I really haven’t had much experience with clamav yet, but a few of our infra dudes have so we’ll probably try something simliar to your approach.

  3. Mark Says:
    May 6th, 2005 at 8:51 am UTC

    Clamav is great, but is a huge resource hog. I highly recommend a distributed setup like

    Inbound Mail
    ^
    |-> smtp spooler/clamav/spam assassin
    | |
    | |——————————> IMAP+SSL/mailboxes
    | |
    |-> smtp spooler/clamav/spam assassin

Leave a Reply