Re: [Mimedefang] action_drop_with_warning called outside of filter context

Wed, 21 Feb 2018 08:29:16 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2018/02/21 8:13 AM, saqariden wrote:

> We are running mimedefang with Spamassassin and Clamav to secure
> our mailling server. but actually, i have a probleme with
> mimedefang-filter. the following error appear when a virus is
> detected:
> 
> mimedefang.pl[10245]: w1K87JOB027594: Detected virus 
> PUA.Win.Trojan.EmbeddedPDF-1 mimedefang.pl[10245]: w1K87JOB027594:
> action_drop_with_warning called outside of filter context
> 
> then the attachment was not dropped. here is my filter:
> 
> sub filter_begin { my($entity) = @_; if ($SuspiciousCharsInHeaders)
> { md_graphdefang_log('suspicious_chars'); return action_discard(); 
> } md_copy_orig_msg_to_work_dir_as_mbox_file();
> 
> # Scan for viruses if any virus-scanners are installed my($code,
> $category, $action) = message_contains_virus();
> 
> # Lower level of paranoia - only looks for actual viruses 
> $FoundVirus = ($category eq "virus");
> 
> # Higher level of paranoia - takes care of "suspicious" objects #
> $FoundVirus = ($action eq "quarantine");
> 
> if ($FoundVirus) { md_graphdefang_log('virus', $VirusName,
> $RelayAddr);
> 
> md_syslog('warning', "Detected virus $VirusName"); return
> action_drop_with_warning("An attachment of type $type, named $fname
> was removed from this document as it\nconstituted$ }
> 
> the action discard work correctly but it's not what i'm looking
> for, i want to drop just the infected file and make a warning on
> the email, Please, how can i correct this? thank you.

Please have a look at the mimedefang-filter manpage, paying particular
attention to the "CALLING SEQUENCE" section.  In short, you can't
apply actions to message parts from filter_begin().  Have a look at
filter() and filter_multipart(); you'll have to run the virus scanner
on each message part (which is expensive) and handle the disposition
at that level.

Why do you want to do this at all, though?  There's virtually no
utility to passing virus-containing messages on to recipients even
with their payloads stripped. Consider discarding or rejecting the
entire message instead.

- ----
Nels Lindquist <nli...@maei.ca>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlqNnhAACgkQh6z5POoOLgQOzwCgyXBUAfoZ/2Nxt3nrkaIb8yjK
9ZoAnjBksD7PVdH7XzxWz+EDJ3Ybk3Ax
=3JBC
-----END PGP SIGNATURE-----
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Reply via email to