(change request) Infected message <foo> came from <bar>

mikea mikea at MIKEA.ATH.CX
Tue Dec 2 22:14:03 GMT 2003

ClamAV gives me the following for each hit:

(stuff deleted) Virus Scanning: ClamAV found 1 infections
(stuff deleted) Infected message hB2LXjks045635 came from

which is well and good, as far as that goes: I got an infected message
in the inbound mail, and ClamAV told MailScanner to quarantine it. I
_love_ that.

But my MailScanner box is fed by our firewall's SMTP proxy, rather
than seeing the other end of the SMTP conversation directly, and so
the offending IP number always is the same, and I don't get to see
who the real offender is.

Is there a handle that can be tweaked to run backwards down the chain
of "Received:" headers, or the IP addresses in them, at this point? I
see that the message is generated in MergeReports, which is called by
ScanBatch after all the AV scanners have run, but I haven't dug deep
enough into the code to see what handles are available at this time.
I really need to go one "Received:" header back in the chain, to the
one that set up the SMTP session with our SMTP proxy.

If possible, I'd _love_ to see something like
: Infected message hB2LXjks045635 came from
:                         which got it from
:                         which got it from
:                         which got it from
all the way back through all the "Received:" headers, but I can see
how that might be _very_ difficult.

<fx type="singing", text_nature="praises">

Oh, and I updated to MailScanner-4.25-13 today. It Just Works. But
I've been saying that about MailScanner all along.

Thanks for a great product, Julian!

Mike Andrews
mikea at mikea.ath.cx
Tired old sysadmin

More information about the MailScanner mailing list