Re: Deleting infected emails as well as attachments

From: David Santinoli (
Date: Thu 15 Apr 2004 - 11:28:31 GMT

  • Next message: Chris Wik: "Perl filter script"

    On Thu, Apr 15, 2004 at 10:07:34AM +1000, Peter Williams wrote:
    > With the amount of viruses floating around I was wanting to configure
    > Anomy to either drop the whole email or send it to a Junk email
    > address. Only in the event of the email containing an infected
    > attachment.

    Hi Peter,
      I was exactly in your situation. That's how I managed to route
    infected e-mail to a dedicated mailbox:

    - in anomy.conf, associate the "file-is-infected" exit codes of the
      antivirus to a policy ending in "!" (e.g. "defang!"). This will cause
      Anomy to exit with a non-zero status after processing the message.

    - Then, in the external program calling Anomy, check the exit status,
      and if it's nonzero then
      (quarantine|discard|do_whatever_you_like_with) the message.

    Note that AFAIK Anomy could exit with a non-zero status on at least
    another occasion, namely if the message fails many sanity checks
    (there's a configurable threshold for that).

    IMHO it would be nice to be able to associate exit codes to policies, in
    order to differentiate such cases. For example, "defang|100" would
    defang the message and set Anomy's exit code to 100.

    A step further would be to have a mechanism to propagate the scanner's
    exit code to Anomy's. For example, "defang|100+" would set Anomy's exit
    code to (100 + the scanner's exit code).


     David Santinoli, Milano             +   <>
     Independent Linux/Unix consultant   +

    hosted by