Development info?
Alex Broens
ms-list at alexb.ch
Mon Aug 25 08:02:22 IST 2008
On 8/25/2008 12:33 AM, Hugo van der Kooij wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Alex Broens wrote:
>> On 8/24/2008 9:47 PM, Hugo van der Kooij wrote:
>>>> SpamAssassin Rule Actions =
>>>> TRAP_LINK_EXEC=>store-/var/spool/MailScanner/evidence
>>> That will store the URL but by the time I can look at that URL to fetch
>>> the file the infected system might be cleaned out allready. So I need to
>>> automate this a bit further.
>> Seems to me you want to do too much within MailScanner...
>>
>> I'd forward the msg with the malware URI to a separate account, process
>> that account with procmail/ripmime/snersoft's "URI" tool/GET and bingo
>> you have the malware to do whatever you want with it and you're very
>> flexible.
>
> Sounds nice. But most message never make it as far as procmail. Most are
> shot down by significant amount of SA points.
I assume this could be avoided if you use a SA rule to catch the
executables, shortcircuit that - to save on SA processing, and set an MS
action to forward those msgs to you processing account, procmail will
see them. Would that work?
Alex
More information about the MailScanner
mailing list