[KLUG Members] Mail scanners for linux.
Bert Obbink
members@kalamazoolinux.org
Mon, 29 Oct 2001 14:47:27 +0100
Adam_Bultman@gmx.net wrote:
>Has anyone here had any good or bad experience with mail virus scanners for
>linux? I'd like to set up mail scanning on my linux mail server, and I want
>to hear from people who have set it up, and have had experience with it.
>I've come across a few viruses in emails, and I'd like to clear them out before
>unsuspecting users get them.
>
>adam
>
We use amavis as well. But that brings me to a message I send in earlier
and noboby seem to have noticed :-) yet. Amavis does its scanning by
unpacking the received mail in a temporally directory. However, many
mail to the M$ clients are packed these days with winace. Amavis is not
able to unpack these mails and therefor unable to scan its contents.
Output generated by the `file` command recognizes a winaced file as a
file containing raw data, so no efford is taken to unpack it.
I have already edited my /etc/magic so it recognizes winaced files. A
oss unpack for winaced files is available under the name unace. It does
not *NOT* unpacked winaced v2.x files.
I have rewritten a large portion of amavis to do additional scanning. So
I block any file that apprears to be an executable, including dll and
other M$ files like sys et cetera. It simple looks at what `file` says
what kind of file it is. I look at the contents and not at the
extension to be ahead of some smart guys here who tought that renaming a
file was enough to let it pass the mail scanner... Unfortunally I have
no response yet to binary editors used to change the first two bytes.
Maybe I just should block anything that is not distictable as some
ordinary type of file. Plain data files should have no value at all.
I am working on a new script based upon the amavis scripts, but now
writting in perl. Ofcourse it will have unace support build in.
Who has an unace program to share that does winace v2.x ???
Bert.