post-delivery virus scan
mick crane
mick.crane at gmail.com
Thu Nov 10 00:12:22 UTC 2016
On 2016-11-09 21:36, Brad Koehn wrote:
> I have discovered that many times the virus definitions I use for
> scanning messages (ClamAV, with the unofficial signatures
> http://sanesecurity.com/usage/linux-scripts/) are updated some time
> after my server has received an infected email. It seems the virus
> creators are trying to race the virus definition creators to see who
> can deliver first; more than half of the infected messages are found
> after they’ve been delivered. Great.
>
> To help detect and remove the infected messages after they’ve been
> delivered to users’ mailboxes, I created a small script that iterates
> the INBOX and Junk mailbox directories, scans recent messages for
> viruses, and deletes them if found. The source of my script (run via
> cron) is here: https://gitlab.koehn.com/snippets/9
>
> Unfortunately Dovecot doesn’t like it if messages are deleted (dbox)
> out from under it. I tried a doveadm force-resync on the folder
> containing the messages, but it seems Dovecot is still unhappy. At
> least on the new version (2.2.26.0) it doesn’t crash; 2.2.25 would
> panic and coredump when it discovered messages had been deleted.
>
> I’m wondering if there’s a better way to scan recent messages and
> eradicate them so the Dovecot isn’t upset when it happens. Maybe using
> doveadm search? Looking for suggestions.
>
leave an empty message behind with the same name as deleted message ?
--
key ID: 0x4BFEBB31
More information about the dovecot
mailing list