Procmail

Procmail is a very general and powerful mail-handling tool. It lets you specify pattern-based rules for your mail, with actions to be taken when the rules match. I use it for a wide variety of tasks, including:

Note that procmail, and any filters you run from procmail, only apply to single users' mailboxes. Previous filter layers apply to the entire site, so this is different.


SMTP Phasepost-DATA
CPU Usemedium
Memory Uselow
False Positivesmedium
Maintenancelow
Effectivenesshigh

Non-ClamAV viruses

ClamAV is very effective but is not perfect. When a new virus pops up, it takes the ClamAV folks hours or days to come out with a pattern to block it. Meanwhile, I don't want those new viruses getting through. I use a small set of procmail patterns that match any Windows executable. This takes more CPU cycles to run than ClamAV, so ClamAV goes first, then this runs as a backup.

:0 B
* ^Content-Transfer-Encoding:.*base64
* ^TVqQAAMAAAAEAAAA
/dev/null

:0 B
* ^Content-Transfer-Encoding:.*base64
* ^TVoAAAAAAAAAAAAA
/dev/null

:0 B
* ^Content-Transfer-Encoding:.*base64
* ^UEsDBAoAAAAAA
/dev/null

:0 B
* ^Content-Transfer-Encoding:.*base64
* ^UEsDBBQAAAAIA
/dev/null
The action above - sending the messages directly to the bit bucket - is just an example. What I actually do on my system is file the message in a junk folder and generate a syslog message, so I can keep stats on how many of these I'm getting.

I'm a little uneasy about this filter. Since the patterns are fairly short, they could occasionally match an innocent file by random chance. Perhaps a JPEG sent to me by a friend. What I really ought to do is turn these into local ClamAV patterns, which could be more specific - they could match the magic string only on the first line of the payload, instead of anywhere in the file.

The spike starting on 01May2005 is due to a bug in ClamAV - it's letting certain viruses go through, and the programmers haven't managed to fix it yet.
<<< [ClamAV] <<< >>> [Bayesian] >>>