On Mon, 2002-05-20 at 17:17, Ed Kasky wrote:
> Could you post that procmail recipe to the list?
I started to, then did not because I have been lazy and took a shortcut
with it that really should be fixed before anyone else uses it. But I'll
post it now with lots of comments added. Maybe someone will post the
right way to do it before I take the time to work it out and my laziness
will pay off :-) Note that Craig's way is a lot simpler, simply adding a
header for the return code from f-prot, 0 if no virus, 3 if a virus,
something else if something else happened during the virus scan. You can
see which pieces of my recipes would do just that.
Near the beginning of .procmailrc I have:
#Virus scanning stuff
# A temp file named with pid of this instance of procmail
# which will be written in the user's mail directory
VIRTEMP=virtempmail.$$
# write a copy of the mail to the temp file because
# f-prot current version doesn't read from stdin
# They say that's a planned feature for the future
:0c
${VIRTEMP}
# run f-prot in quiet mode to get return code
# This test is true if there is no virus found
# and there were no problems during the scan.
# The action shows how to set VIRSCAN to the return code
# and takes care of deleting the temp file
# Craig's recipe just did this part and added a header
# Containing the return code
:0
* ? /usr/local/bin/f-prot -silent ${VIRTEMP}
{
VIRSCAN=`echo $?;rm -f ${VIRTEMP}`
}
# The E flag is an else. Execute this block
# if f-prot returned nonzero code. Note that this
# gets executed if f-prot fails for any reason, not
# just if it finds a virus. A more precise test
# would check the return code for a value of 3 which
# means virus found.
# The temp file has not been deleted yet so I can
# run it through the virus checker one more time with
# output to stdout so I can extract the name of the
# virus in case I want to look at it instead of just
# sending the message to /dev/null
# If I were not lazy I would find a way to get the return code,
# only do the full scan if it is 3, log the virus, and then
# send the message to /dev/null.
# I also would find out from the f-prot people if I can count
# on the name of the virus always appearing after the string
# "Infection: " in f-prot's report output.
#
# Since the extra scan is only done when the first one did not
# signal all ok, I don't worry about the extra processing.
:0E
{
#This next is all on one line, wordwrapped in this mail message
VIRSCAN=`/usr/local/bin/f-prot ${VIRTEMP} | sed -n -e "s/^.*Infection:
\(.*$\)/\1/p";rm -f ${VIRTEMP}`
:0fw
|formail -f -I "X-Virus-Found: ${VIRSCAN}"
}
#End virus scanning stuff
A little later I have a recipe that reflects my personal preferences,
right now, which is to send Klez to /dev/null but to see anything else
that shows up simply because I'm curious and I want to see if anything
is going wrong with this stuff.
I added a rule to SA to make it easy to defang any virus I catch by
scoring a non-empty X-Virus-Found header really high, adding the
following to /etc/mail/spammassassin/local.cf
header X_VIRUS_FOUND X-Virus-Found =~ /\S/
describe X_VIRUS_FOUND Virus scanner was not happy with this message
score X_VIRUS_FOUND 100.0
Part of this is that my personal preference is to defang caught spam.
Not everyone likes to configure SA that way.
And here is the other procmail recipe that makes use of that. It does
nothing if there is no virus. Note that my delivery to a virus trap
folder shows that I use Maildir format. If I had mbox format folders the
final delivery would have to be :0: to properly lock it.
:0
* ^X-Virus-Found:
{
# just kill it if it is klez
:0
* ^X-Virus-Found: W32/Klez
/dev/null
#filter through spamassassin which should be set to see
# the virus flag and defang it
:0fw
| /usr/bin/spamc
:0
.virustrap/
}
-- sidney
_______________________________________________________________
Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
