Silent Virus & Notify Senders

Julian Field mailscanner at ecs.soton.ac.uk
Sat Aug 2 18:28:19 IST 2003


Quoting Stijn Jonker <SJCJonker at SJC.NL>:
> I'm trying to fine tune the virus reporting to the senders of email,
>
> Initially I had an rule where for all local domains reporting was on,
> and the default was off.
>
> Recently people have tried to transfer exe files, they where legit, as
> they where updates from the official vendor of an piece of software.
> (This user isn't very technical, so it was send as an self exec zip
> archive).
>
> MailScanner nicely intercepted the email, but off course didn't notify
> the sender, as the rules dictate.
>
> I'm looking for a way to do sender notification as mentioned below:
>
> Disallowed filename && !Virus   yes
> Disallowed filetype && !Virus   yes
> Virus                           no
> HTML-Form                       yes
> HTML-Codebase                   no
> HTML-IFrame                     yes
>
> If this isn't possible with the current code, maybe an option for silent
> viruses in the area of:
>
> Silent Viruses = HTML-Codebase ALLViruses

The "HTML-Codebase" in that line already works, I've done that.
The "ALLViruses" doesn't work yet, but should be pretty easy to implement. I
probably won't call it exactly that, but something close to that
("All-Viruses" perhaps).

Please try the attached patch
to /usr/lib/MailScanner/MailScanner/SweepViruses.pm as it should do what you
want. The magic keyword is indeed "All-Viruses" (but it doesn't matter about
upper/lower case.

>
> If the above change is required, i'll dive into the perl code, and see
> if i can manage to make a patch to do this..
>
> Julian, are you willing to add this, when and if I provide the patch?

--
Jules
jkf at ecs.soton.ac.uk
mailscanner at ecs.soton.ac.uk
-------------- next part --------------
--- SweepViruses.pm	2003-06-01 12:34:20.000000000 +0100
+++ SweepViruses.pm.new	2003-08-02 18:24:30.000000000 +0100
@@ -490,18 +490,36 @@
 # Merge all the virus reports and types into the properties of the
 # messages in the batch. Doing this separately saves me changing
 # the code of all the parsers to support the new OO structure.
+# If we have at least 1 report for a message, and the "silent viruses" list
+# includes the special keyword "All-Viruses" then mark the message as silent
+# right now.
 sub MergeReports {
   my($Reports, $Types, $batch) = @_;
 
   my($id, $reports, $attachment, $text);
+  my($cachedid, $cachedsilentflag);
 
   # Let's do all the reports first...
+  $cachedid = 'uninitialised';
   while (($id, $reports) = each %$Reports) {
     #print STDERR "Report merging for \"$id\" and \"$reports\"\n";
     next unless $id && $reports;
     my $message = $batch->{messages}{"$id"};
     #print STDERR "Message is $message\n";
     $message->{virusinfected} = 1;
+
+    # If the cached message id matches the current one, we are working on
+    # the same message as last time, so don't re-fetch the silent viruses
+    # list for this message.
+    if ($cachedid ne $id) {
+      my $silentlist = ' ' . MailScanner::Config::Value('silentviruses',
+                       $message) . ' ';
+      $cachedsilentflag = ($silentlist =~ / all-viruses /i)?1:0;
+      $cachedid = $id;
+    }
+    # We can't be here unless there was a virus report for this message
+    $message->{silent} = 1 if $cachedsilentflag;
+
     while (($attachment, $text) = each %$reports) {
       #print STDERR "\tattachment \"$attachment\" has text \"$text\"\n";
       next unless $text;


More information about the MailScanner mailing list