WOOT! - Virus Scanning

After much blood, tears, and extreme frustration, I have created a sweet little virus scanning package for the mail servers. Took only four days of pretty constant work, reading page after man page. My own little (simple) custom program written in C. This avoids the load that perl or shell scripts place on the machine. It integrates quickly with clamav and qmail.

The program simply uses clamdscan to check to see if a message is a virus... If it is, it silently drops it - Noone wants to know you sent a message to them or they missed out on receiving one of those gems - and 99% of the time, its spoofed anyway, causing panic and confusion to the masses of the mail world.

It seems pretty foolproof, load on the server wasn't harmed, and I've tried to break it in many ways, without success (which is good that I couldn't break it...).

Also, we've reenable the RBL after last week's debacle. We're hoping to have our own inhouse DNSBL server soon to avoid sending 2 million queries away.

[somereseller]

do you have more details on the type of files that are blocked and the ones that are scanned?

Its scans all messages. If there is a virus, its dropped. Pretty simple?

[somereseller]

I should have said attachements instead of message...


goes inside zip, rar, ace, hqx,etc?
scans pif, exe, swf, etc?

[jmbeach]

Matt, let me guess...

on the weekends you like to build racing engines with duct tape and a grease pen, don't you?

"simply uses clamdscan..." - what a showoff

Nice work!

[Brangwyn]

Great stuff Matt, give yourself a big pat on the back ! ... Brad, give that boy a raise will ya !

It will scan all attachments that are valid, and go a layer deep into a zip ... so maybe a zip in zip if there is one. won't scan overly large messages (>1M) until we see viruses that big (I hope not!)

[logic404]

Go Matt!!!!!!!

[logic404]

Hang on a tick - is this already active? And if so, would it account for an email that I was expecting from a client disappearing without a trace?

[Silverbug]

I know most people would be screaming praise for this (im one of them), but are we able to disable it on individual accounts? Or is it just a server wide thing? I have a few clients who really dont like the idea of their email being deleted, even if it is a virus. (and no i dont agree with them, but hey what can i do, they pay my bills)

[logic404]

I know what you mean. Virus scanning is FANTASTIC (and kudos to Matt). However it would be nice (there's always a "would be nice", with clients!) if you could disable it, or have an option to have it quarentined and then you decide what to do with it, or just remove the offending attachment but still let the message text go thru. That way, you could at least say, "Yeah, I got your email, but it seems your computer might have a virus as an attachment you sent was infected.". Because you could have "legitimate" email that is infected.

Just a thought, but again, FANTASTIC EFFORT GUYS!!!

[Brangwyn]

Any chance instead of drop, it could be setup to bounce with a little message saying "undelivered contained virus" or something like that ? that would I think keep most people pretty happy.

No No No. There is NO reason to preserve viruses EVER. We had so many complaints with MyDoom of people wanting this, and this will NOT be made into a per domain basis, simply due to the fact that we are doing our part to prevent the spread of such things.

And about bounces, quartine, etc. Think about it... How many bounce message did YOU get from MyDoom ... 100% from your email address being spoofed by the virus sender.

So by creating bounces or informing people that we "blocked" a virus, we are simply creating more traffic and causing extra confusion.

Quote:

Originally Posted by logic404

Hang on a tick - is this already active? And if so, would it account for an email that I was expecting from a client disappearing without a trace?

Submit a ticket, chances are something else got it. Only virii have problems going through. Unless they have a virus that piggybacked... hah

[logic404]

What if (although I'm pretty sure this isn't the case in this case, because I had the guy send it to a Hotmail account, then used a virus scanner to check that it wasn't infected), someone sent you an email, with an attached word doc, or something, and that person happened to have a virus, which happened to have infected the word document, so - they sent you a pricing enquiry, or a screen dump of an error (why people put these into word is beyond me, but they do), and you never know that they tried to send such a thing, because it got dropped?

How likely is a virus to hang around and infect files like that? I.e - what's the chance that we'll miss a legit email because some part of it was "unintenionally infected" (the message itself wasn't sent by a virus, but did contain a virus)?