Exim and clamd - virus notifications

vancocom

Verified User
Joined
Jul 12, 2007
Messages
30
I've gotten clamd set up and working with Exim. I ran a set of tests sending me test/fake viruses and other threats, and the system properly cleaned them out.

The issue I'm concerned about is that the system doesn't notify the user that a virus has been scrubbed from the e-mail. Normally this might not be a problem, but if there is a false positive I'll be getting calls asking me where their attachment went.

Is there any way to have exim insert a message into the e-mail when an attachment is removed due to suspicion of including a virus? I've been searching for this but have not found an answer.

Thanks!
 
If you implement ClamAv the way I've implemented it in SpamBlocker Version 3-beta then it's part of an ACL, and any email with a virus in it will be refused on receipt. Which means the mailserver sending the virus is responsible for notifying the original sender that the email couldn't be delivered.

I haven't seen a false positive in years, but I guess it could happen. If it happens using the method I've built, then the sender will get a notice that the email was undeliverable because it contained a virus.

To see how and where I've implemented ClamAV, see the link above and search for ClamAV in my file.

Jeff
 
Thanks Jeff, you're always a great help. I'll check your docs and see how you set things up.

My tests cleaned the attachment and let the e-mail through, and from what you say this may not be the best method.

I'll try to post again once I've had a chance to check things over.
 
The only line in your exim.conf ACL that's missing in mine is the one where you can exclude virus checking for domains in a certain file:

accept condition =${if and {{def:acl_m0}{def:acl_m0}} {true}{false}}

Perhaps I was mis-interpreting the logs I was reading. I now believe that the below log entry show that the email was rejected instead of cleaned as I had originally thought.

... rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
 
We thought the ability to exclude would allow some users to charge for virus checking :) .

Jeff
 
Back
Top