post-delivery virus scan

Brad Koehn brad at koe.hn
Thu Nov 10 11:40:57 UTC 2016 

I’ve decided to try this approach. I’ve updated my script as follows:

#!/bin/bash

# Scan junk folders for messages containing  viruses we didn't have definitions 
# for when the mail was received. Truncate the body of infected messages and
# replace the body with a message.

cd /var/mail

for dir in $( find . \( -name Junk -o -name INBOX \) -type d ) ; do
  files=$( find "$dir" -type f -name u.\* -mtime -14 -print )
  for file in $files ; do
    /usr/local/bin/clamdscan --quiet --fdpass "$file"
    if [ $? -eq 1 ] ; then
      sed -i '/^$/,$d' "$file"
      echo "\r\n\r\n[The body of this message contained a virus and was deleted.]" >> "$file"
    fi
  done
done

We’ll see if that does the trick.

> On Nov 9, 2016, at 6:12 PM, mick crane <mick.crane at gmail.com> wrote:
> 
> On 2016-11-09 21:36, Brad Koehn wrote:
>> I have discovered that many times the virus definitions I use for
>> scanning messages (ClamAV, with the unofficial signatures
>> http://sanesecurity.com/usage/linux-scripts/) are updated some time
>> after my server has received an infected email. It seems the virus
>> creators are trying to race the virus definition creators to see who
>> can deliver first; more than half of the infected messages are found
>> after they’ve been delivered. Great.
>> To help detect and remove the infected messages after they’ve been
>> delivered to users’ mailboxes, I created a small script that iterates
>> the INBOX and Junk mailbox directories, scans recent messages for
>> viruses, and deletes them if found. The source of my script (run via
>> cron) is here: https://gitlab.koehn.com/snippets/9
>> Unfortunately Dovecot doesn’t like it if messages are deleted (dbox)
>> out from under it. I tried a doveadm force-resync on the folder
>> containing the messages, but it seems Dovecot is still unhappy. At
>> least on the new version (2.2.26.0) it doesn’t crash; 2.2.25 would
>> panic and coredump when it discovered messages had been deleted.
>> I’m wondering if there’s a better way to scan recent messages and
>> eradicate them so the Dovecot isn’t upset when it happens. Maybe using
>> doveadm search? Looking for suggestions.
> 
> leave an empty message behind with the same name as deleted message ?
> 
> 
> 
> 
> -- 
> key ID: 0x4BFEBB31

More information about the dovecot mailing list