Notification options with virus scanning

Discuss the Scalix Server software

Moderators: ScalixSupport, admin

ink
Posts: 67
Joined: Mon May 23, 2005 3:53 pm

Notification options with virus scanning

Postby ink » Thu Jun 02, 2005 12:46 pm

The Adminitrators guide says that the following will notifiy the sender of a virus:

Code: Select all

VIRUS-FOUND=1 ACTION=DISCARD NOTIFY="rejection message"

Knowing that 95% of all virus-infected email has a spoofed sender, I would much rather have those messages be directed to postmaster, or send notice to the recipient on our local system. Is there a way to do this? Is the syntax of this file better documented elsewhere?

Thanks!

rudi
Posts: 289
Joined: Mon Nov 22, 2004 6:53 am

Notify the Administrator

Postby rudi » Mon Jun 06, 2005 10:38 am

Hi,

I need also the option, that a notify message of a virus mail send to the admin in the local system.

Thanks for help!!!

ScalixSupport
Scalix
Scalix
Posts: 5503
Joined: Thu Mar 25, 2004 8:15 pm

Postby ScalixSupport » Wed Jun 08, 2005 11:15 am

Page 103 of the Scalix Administration Guide (for the 9.2.1 release), gives some further information on message delivery rulesets, which virus scanning make use of.

This states:

An ACTION attribute must be specified for a rule. For actions which do not automatically return a Non-Delivery Notification, you can specify a message to be returned to the user with the NOTIFY tag.
• ALLOW
Route the message immediately.
• DEFER
Defer delivery of the message during the period specified by the day
and time attributes.
• DISCARD
Discard the message without returning a Non-Delivery Notification to
the originator.
• REJECT
Do not route the message and return a Non-Delivery Notification to
the originator.
• RETURN
Do not route the message and return a Non-Delivery Notification and
the original message to the originator.


So, the implication is that to achieve what you want you just need:

Code: Select all

VIRUS-FOUND=1 ACTION=DISCARD


this should discard the message and NOT return an NDN to the originator.

If you wish the administrator (or more correctly the Error Notification User (ENU) ) to be notified then you need

Code: Select all

ACTION=REJECT


and this will have the undesired (in this case) side effect of attempting to send an NDN to the originator.

Hope that helps,
JG

ink
Posts: 67
Joined: Mon May 23, 2005 3:53 pm

Postby ink » Wed Jun 08, 2005 11:39 am

What would be nice in a future version is something like this

Code: Select all

VIRUS-FOUND=1 ACTION=DISCARD NOTIFYADDR="some user" NOTIFYMSG="some message"

Returning the message to the sender should probably never be enabled; doing so has a higher chance of spreading the virus to innocent, spoofed addresses than it does of legitimately notifying an infected user.

ScalixSupport
Scalix
Scalix
Posts: 5503
Joined: Thu Mar 25, 2004 8:15 pm

Requirement for notifying the mail administrator?

Postby ScalixSupport » Thu Jun 09, 2005 7:10 am

Thinking about this a little more, what is the real requirement to have the local mail administrator notified that an external person attempted to send a virus to one of their users?

Armed with this information, what is the mail administrator then going to do?

If the requirement is for the mail administrator to get a warm fuzzy feeling that virus e-mails are being caught, or there is a need to see how many virus e-mails are arriving at the company then this information can potentially be gleaned from the Scalix audit log files.

e.g. if I enable audit logging (to at least level 9) on the Service router then I can see in the audit log (~scalix/logs/audit):

routing
time 1118314620 Thu Jun 9 03:57:00 2005 -420
type 0 message
priority 0 normal
sensitivity 0 normal
importance 0 normal
created-locally 1
hop-count 1
originator .....originator information......
subject test virus reject
ua-message-id H00000f500386b21.1118314609.host.foobar.com
mta-message-id H00000f500386b21.1118314609.host.foobar.com
part-size 215
part-type 1166 DISTRIBUTION LIST
part-size 1091
part-type 2130 Microsoft RTF
part-size 69
part-type 0 BINARY FILE
virus-uncleaned Eicar-Test-Signature
recipient-to ......recipient information.......
ack-req 0 none
message-filter-info +VIRUS-UNCLEANED=REJECT
non-delivery-reason 8
max-nest-depth 0
message-size 8797
part-count 3
delivered-count 0


So I can see who sent the message, who it was destined for what the virus was and the action taken.

A script could be written to harvest this information from the audit files on a regular basis in order to keep the mail administrator informed of what is happening.

Any good?

Cheers,
JG

dplaza

Notification of infected file.

Postby dplaza » Fri Aug 05, 2005 11:06 am

So am I to understand that there is no way to notify a recepient that an email containing an attachment destined for them was infected? The reality is that all viruses don't come from spam. If the recepient is made aware of why an email is not received it saves the administrator from the "my email is not working because so an so sent me something that I did not receive" issue.

tonyn
Scalix
Scalix
Posts: 12
Joined: Mon Jul 04, 2005 4:33 am

Postby tonyn » Mon Aug 08, 2005 4:08 am

ACTION=REJECT will send a non-delivery notification back to the originator of the message. You can fine-tune the message sent to say something like "This message contained a virus - suggest you update your local virus definitions database" etc ... by using the NDN-INFO option - see the Admin Guide for details.

Sometimes this might be the right thing to do. But are you sure that the originator of the message is really where the message came from? Most times with virus messages the originator address has been spoofed. So to DISCARD or REJECT is a judgement that you as an administrator have to make I'm afraid.

ScalixSupport
Scalix
Scalix
Posts: 5503
Joined: Thu Mar 25, 2004 8:15 pm

Postby ScalixSupport » Fri Nov 18, 2005 11:16 am

There may be a small light at the end of the tunnel ( and it's not a train :-) )

I have raised a feature request to get some notification made to an address of your choice but, in the meantime, clamd provides a similar feature.

Edit /etc/clamd.conf:

Code: Select all

# Execute a command when virus is found. In the command string %v will
# be replaced by a virus name.
# Default: disabled
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
VirusEvent /tmp/send_virus_alert "%v"


where /tmp/send_virus_alert is a script as follows:

Code: Select all

#!/bin/bash

echo "VIRUS $1" | /bin/mail -s "Virus Warning" admin.address@domain.com

exit 0


This will allow a short message to be sent to the address of your choice when a virus is detected. This is available in clamd now so it should be easy to implement.

The downside is that this can only act as a trigger for you to look in the Scalix audit log. Clamd doesn't know that the file it is told to scan is a message so it doesn't have any details as to the sender or recipient.

Hope this goes part of the way to achieving what you're asking for.

Cheers

Dave


Return to “Scalix Server”



Who is online

Users browsing this forum: No registered users and 22 guests

cron