(I posted David's suggestion to the procmail list, because the topic of
invoking a virus scanner from procmail had come up over there recently as
well. Here is some early feedback. I see a an additional opportunity to
streamline the script My suggestion is prefixed with GF)
From: Scott Wiersdorf <[EMAIL PROTECTED]>
Date: Wed, 11 Feb 2004 16:14:16 -0700
On Wed, Feb 11, 2004 at 02:53:25PM -0800, Gary Funck wrote:
>
> Thanks to Christopher's hint, I wound up with the following in procmailrc,
> which seems to be working:
>
> #======================================================
> # clamav virus scan
> #======================================================
> :0 HB
> VIRUS=|/usr/bin/clamscan --mbox --disable-summary --stdout -
The HB flags apply to conditions, of which you have none. By default
procmail pipes both h and b, so you can remove 'HB':
:0
VIRUS=|/usr/bin/clamscan --mbox --disable-summary --stdout -
GF: Since there are no conditions/tests in that rule, this is
simpler:
VIRUS=`/usr/bin/clamscan --mbox --disable-summary --stdout -`
> :0 Dfw
> * VIRUS ?? ^.*: \/.* FOUND
> | formail -A "X-Virus-Status: yes, $MATCH"
This could be made more efficient with an 'h', and 'D' is probably
unnecessary:
:0 hfw
* VIRUS ?? ^.*: \/.* FOUND
| formail -A "X-Virus-Status: yes, $MATCH"
> :0 Efw
> | formail -A "X-Virus-Status: no"
Same with this one:
:0 E hfw
| formail -A "X-Virus-Status: no"
> Note that I tag infected messages, not dump them immediately, for
gathering
> stats. It seems to be catching the test infected messages I sent though
just
> fine. I probably need to dump --stdout as well, since it's not acting as a
> filter.
>
> Now -- IF mbox is a problem -- I could just send the BODY through with the
> procmail B flag alone, and not use --mbox, right?
I'm not sure what heuristics clamav uses to decide mime parts, etc. It
may rely on certain MIME headers (though unlikely) to decide how to
parse the message. The best way is to just try it, I guess. Sandbox applies.
