Michael Sprague wrote:
> On Thu, Aug 23, 2007 at 11:56:20AM +0100, Mike Cardwell wrote:
>
>> Marcin Krol wrote:
>>
>>
>>>>>> But why would you want to accept and silently discard mail? If the mail
>>>>>> contains a virus, don't you think it's better that the sender is told so?
>>>>>>
>>>>>>
>>>>> No! That causes collateral spam! Think faked sender...
>>>>>
>>>>>
>>>> Not if you're rejecting during the SMTP transaction, which is I think
>>>> what was being discussed originally.
>>>>
>>>>
>>> Correct, *but the default clamav message saying so is unreadable*.
>>> Default clamav reject message is not customizable very much, not enough
>>> to make it vary and indicate CLEARLY AND IN BIG LETTERS it was phishing
>>> / it was spam (clamav used to filter out only viruses so it was not a
>>> problem).
>>>
>>> So I need to replace it.
>>>
>>> So I need to blackhole the message myself (do accept, not deny) and
>>> generate another message myself and send it during SMTP time with 5xx code.
>>>
>>> This is complicated, nevertheless, this is an optimum solution which I seek.
>>>
>> You're getting the terminology wrong, which is confusing matters. What
>> you *want* to do is reject during SMTP, and send a rejection message
>> depending on which signature is matched. You can do this with something
>> along these lines:
>>
>> deny malware = *
>> message = ${if match{$malware_name}\
>> {\N\.Sanesecurity\.\N}\
>> {Blocked Phishing attempt}\
>> {Blocked Virus}\
>> }
>>
>> That will return "550 Blocked Phishing attempt" if it's a Sanesecurity
>> signature, and "550 Blocked Virus" otherwise. I don't know if the logic
>> of: ".Sanesecurity." is phishing and everything else is a virus, is
>> correct; but the config snippet is a good representation of what you
>> want to do.
>>
>
> I do something similar and parse out the 'type' of malware based on the
> $malware_name. Sanesecurity classifies things based on name. The URL
> below is the page the explains the different types they use:
>
> http://www.sanesecurity.com/clamav/docs.htm
>
> mikeS
>
>
You know - one could take that list and do a lookup to grab the right
error ......
hmmmmmmmm
