Alternative to ClamAV in Exim?

O

OliverScott

Verified User
Joined
May 4, 2007
Messages
57
Is there an easy way to make exim use a different email package other than ClamAV? For instance the freeware linux AV from panda:

http://www.pandasoftware.com/download/linux/linux.asp

Reason for doing this is that I want to stop viruses at SMTP in exim, but run ClamAV as part of the SpamAssassin process so that I can use some 3rd party ClamAV databases aimed at catching SPAM...
 
You can use ClamAV at SMTP time, just insert the proper code to check_message: in /etc/exim.conf
 
will-lo said:
You can use ClamAV at SMTP time, just insert the proper code to check_message: in /etc/exim.conf
Click to expand...

However if I have a set of ClamAV signatures in place to catch some phishing and image spam, such as those available from www.sanesecurity.co.uk, then all the email that these signatures detect will be rejected at SMTP time.

I would rather have anther AV package scan the email for viruses and reject at SMTP, so that I can then use ClamAV to carry out a scan using these SPAM signatures as part of the SpamAssassin process so that they are not rejected outright...
 
You can certainly use exim in conjunction with other Anti Virus systems; since Anti Virus isn't part of DirectAdmin this probably isn't the best place to get ideas.

Jeff
 
OliverScott said:
However if I have a set of ClamAV signatures in place to catch some phishing and image spam, such as those available from www.sanesecurity.co.uk, then all the email that these signatures detect will be rejected at SMTP time.
Click to expand...

I just have to pitch in and say I just tested this http://www.sanesecurity.co.uk/clamav/usage.htm and it is indeed easy to set up.

I used "Script No. 3 (Gerard Seibert)"... modified the paths to conform to my system, and set it for cron update every 4 hours.

If I am already checking for viruses, this should relieve some of the work for Spamassassin.

I sent the test signatures to myself via gmail, and they were duly rejected.

Mail Delivery Subsystem <[email protected]>
to me

This is an automatically generated Delivery Status Notification

Delivery to the following recipient failed permanently:

email@********.com

Technical details of permanent failure:
PERM_FAILURE: SMTP Error (state 16): 550-This message contains a virus or other harmful content
550 (Html.Scam.Sanesecurity.TestSig)

Mail Delivery Subsystem <[email protected]>
to me
.
.
.

This is an automatically generated Delivery Status Notification

Delivery to the following recipient failed permanently:

email@********.com

Technical details of permanent failure:
PERM_FAILURE: SMTP Error (state 16): 550-This message contains a virus or other harmful content
550 (Html.Phishing.Sanesecurity.TestSig)
Click to expand...

I will be monitoring my logs for these "virus" signatures and report some more.

This seems like a very nice addition to the arsenal.

Edit:

Just a few minutes into this...

2007-07-15 12:27:06 1IA6vo-0002We-W1 H=adsl196-132-93-217-196.adsl196-11.iam.net.ma [196.217.93.132] F=<handpropertiesm@*****.com> rejected after DATA: This message contains a virus or other harmful content (Email.Spam.Gen595.Sanesecurity.07052401)
2007-07-15 12:35:06 1IA73q-0002be-7P H=(gzsn) [212.14.53.1] F=<nusd@*****.com.ar> rejected after DATA: This message contains a virus or other harmful content (Email.Stk.Gen580.Sanesecurity.07071502.pdf)
2007-07-15 12:38:38 1IA77B-0002eT-E5 H=0x50a44bf2.arcnxx8.adsl-dhcp.tele.dk [80.164.75.242] F=<tellingpinioning@******.co.jp> rejected after DATA: This message contains a virus or other harmful content (Email.Hdr.Sanesecurity.07012400)
2007-07-15 12:39:02 1IA77d-0002fM-SE H=dslb-084-057-235-134.pools.arcor-ip.net [84.57.235.134] F=<vlwu@******.com> rejected after DATA: This message contains a virus or other harmful content (Email.Dipl.Gen034.Sanesecurity.07070500)
Click to expand...
 
Last edited:
I have found SaneSecurity definitions to be VERY good - they hit about 60% of my SPAM which is incredible given that they only match exact results (they are not fuzzy). However this high percentage may be beacuse I am based in the UK as is the author of the sanesecurity definitions. Also they tend to hit already high scoring spam so they arn't a miracle spam fighting measure though they are good.

My biggest concern was over possible false positives given that there is only one person working on these definitions unlike the official ClamAV signatures...

However I have yet to have any problems with them in the month that I have been using them.

There are also two other sets of ClamAV signatures which I am now testing (though these are not as good IMHO):

http://www.malware.com.br/ (various formats including ClamAV)
http://www.msrbl.com/site/ (ClamAV as well as RBLs)

As a solution to my concerns over false positives I have changed from virus scanning in Exim and have moved to using the ClamAV SpamAssassin plugin:

http://wiki.apache.org/spamassassin/ClamAVPlugin

Rather than using the standard clamav.cf I have written my own which gives different scores depending on what ClamAV signature found somthing:

loadplugin ClamAV clamav.pm
full CLAMAV eval:check_clamav()
describe CLAMAV Clam AntiVirus detected something...
score CLAMAV 0.001

# Look for specific types of ClamAV detections
header __CLAMAV_PHISH X-Spam-Virus =~ /Yes.{1,20}Phishing/i
header __CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,20}Sanesecurity/i
header __CLAMAV_MBL X-Spam-Virus =~ /Yes.{1,20}MBL/
header __CLAMAV_MSRBL X-Spam-Virus =~ /Yes.{1,20}MSRBL/

# Give the above rules a very late priority so that they can see the output
# of previous rules - otherwise they don't work!
priority __CLAMAV_PHISH 9999
priority __CLAMAV_SANE 9999
priority __CLAMAV_MBL 9999
priority __CLAMAV_MSRBL 9999

# Work out what ClamAV detected and score accordingly
meta CLAMAV_VIRUS (CLAMAV && !__CLAMAV_PHISH && !__CLAMAV_SANE && !__CLAMAV_MBL && !__CLAMAV_MSRBL)
describe CLAMAV_VIRUS Virus found by ClamAV default signatures
score CLAMAV_VIRUS 20.0

meta CLAMAV_PHISH (CLAMAV && __CLAMAV_PHISH && !__CLAMAV_SANE)
describe CLAMAV_PHISH Phishing email found by ClamAV default signatures
score CLAMAV_PHISH 10.0

meta CLAMAV_SANE (CLAMAV && __CLAMAV_SANE)
describe CLAMAV_SANE SPAM found by ClamAV SaneSecurity signatures
score CLAMAV_SANE 7.5

meta CLAMAV_MBL (CLAMAV && __CLAMAV_MBL)
describe CLAMAV_MBL Malware found by ClamAV MBL signatures
score CLAMAV_MBL 7.5

meta CLAMAV_MSRBL (CLAMAV && __CLAMAV_MSRBL)
describe CLAMAV_MSRBL SPAM found by ClamAV MRSBL signatures
score CLAMAV_MSRBL 2.0
 
It's interesting that the developer of the Sanesecurity signatures, feeds HIS signatures to Internet Defence Phishery... which in turns feeds Clamav's team. And I see he writes phishing signatures directly for the Clamav team as well.

This is one hard working dude!

Since I use Clamav from Exim, I don't think I'll be using your configuration file, but thanks for sharing! Some other people might find it very useful. It certainly looks good.

Let us know how it works out with the other signatures. I'd like to try them.
 
You must log in or register to reply here.
Back
Top