[KLUG Members] Mail scanners for linux.

[Bert Obbink]

Adam_Bultman@gmx.net wrote:

>Has anyone here had any good or bad experience with mail virus scanners for
>linux?  I'd like to set up mail scanning on my linux mail server, and I want
>to hear from people who have set it up, and have had experience with it. 
>I've come across a few viruses in emails, and I'd like to clear them out before
>unsuspecting users get them.
>
>adam
>
We use amavis as well. But that brings me to a message I send in earlier 
and noboby seem to have noticed :-) yet. Amavis does its scanning by 
unpacking the received mail in a temporally directory. However, many 
mail to the M$ clients are packed these days with winace. Amavis is not 
able to unpack these mails and therefor unable to scan its contents. 
Output generated by the `file` command recognizes a winaced file as a 
file containing raw data,  so no efford is taken to unpack it.

I have already edited my /etc/magic so it recognizes winaced files. A 
oss unpack for winaced files is available under the name unace. It does 
not *NOT* unpacked winaced v2.x files.

I have rewritten a large portion of amavis to do additional scanning. So 
I block any file that apprears to be an executable, including dll and 
other M$ files like sys et cetera. It simple looks at what `file` says 
what kind of file it is.  I look at the contents and not at the 
extension to be ahead of some smart guys here who tought that renaming a 
file was enough to let it pass the mail scanner... Unfortunally I have 
no response yet to binary editors used to change the first two bytes. 
Maybe I just should block anything that is not distictable as some 
ordinary type of file. Plain data files should have no value at all.


I am working on a new script based upon the amavis scripts, but now 
writting in perl. Ofcourse it will have unace support build in.

Who has an unace program to share that does winace v2.x ???


Bert.