(change request) Infected message <foo> came from <bar>
mikea
mikea at MIKEA.ATH.CX
Tue Dec 2 22:14:03 GMT 2003
ClamAV gives me the following for each hit:
(stuff deleted) Virus Scanning: ClamAV found 1 infections
(stuff deleted) Infected message hB2LXjks045635 came from 192.149.244.18
which is well and good, as far as that goes: I got an infected message
in the inbound mail, and ClamAV told MailScanner to quarantine it. I
_love_ that.
But my MailScanner box is fed by our firewall's SMTP proxy, rather
than seeing the other end of the SMTP conversation directly, and so
the offending IP number always is the same, and I don't get to see
who the real offender is.
Is there a handle that can be tweaked to run backwards down the chain
of "Received:" headers, or the IP addresses in them, at this point? I
see that the message is generated in MergeReports, which is called by
ScanBatch after all the AV scanners have run, but I haven't dug deep
enough into the code to see what handles are available at this time.
I really need to go one "Received:" header back in the chain, to the
one that set up the SMTP session with our SMTP proxy.
If possible, I'd _love_ to see something like
: Infected message hB2LXjks045635 came from 192.149.244.18
: which got it from 12.24.199.207
: which got it from 42.140.77.222
: which got it from 24.12.44.139
all the way back through all the "Received:" headers, but I can see
how that might be _very_ difficult.
<fx type="singing", text_nature="praises">
Oh, and I updated to MailScanner-4.25-13 today. It Just Works. But
I've been saying that about MailScanner all along.
Thanks for a great product, Julian!
--
Mike Andrews
mikea at mikea.ath.cx
Tired old sysadmin
More information about the MailScanner
mailing list