Of course, this is assuming he has Procmail installed (I have the exact same
setup, just no procmail).
I adjusted the advosys script to call CLAMSCAN and scan the whole email. this
leaves a blank email if positive, if the email is blank, i drop it. If it's
not, it gets passed through anomy for further filtering. (it's not that i
don't trust clamav, i don't trust any antivirus system 100%). And believe it
or not, it's FAST.
it's simple, clean (one script with options for piping to a directory for
further review if need be) and easily is handling an avg of 25k to 45k emails
a day for 3k users on a server that also gets over 3 million web hits a
month. and it's just a dual 1GHz with 2 gigs ram and a sucky drive system.
we are in the middle of seperating out the web services to 4 load balanced
web servers, an email server, and an AV/Spamassassin server. Not due to
slowness mind you, but to bring the OS up to date and we were running out of
drive space.
I have 11 instances of spamd running at all times, and four have less than 10
seconds of CPU time in the last month:
8:59pm up 33 days, 4:43, 2 users, load average: 0.37, 0.45, 0.82
143 processes: 141 sleeping, 1 running, 1 zombie, 0 stopped
CPU0 states: 2.0% user, 4.0% system, 0.0% nice, 93.0% idle
CPU1 states: 0.0% user, 0.0% system, 0.0% nice, 100.0% idle
Mem: 2064828K av, 1806196K used, 258632K free, 0K shrd, 204368K buff
Swap: 2040212K av, 77424K used, 1962788K free 1134668K cached
PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND
1137 filter 9 0 22800 1372 448 S 0.0 0.0 0:07 spamd
25285 filter 9 0 30660 25M 1712 S 0.0 1.2 1:39 spamd
8759 filter 9 0 31424 25M 1772 S 0.0 1.2 0:49 spamd
12278 filter 9 0 30228 24M 1784 S 0.0 1.2 0:34 spamd
16183 filter 9 0 32492 26M 1784 S 0.0 1.3 0:29 spamd
20004 filter 9 0 34624 29M 1784 S 0.0 1.4 0:22 spamd
20158 filter 9 0 28972 23M 1792 S 0.0 1.1 0:15 spamd
21057 filter 9 0 30052 24M 1792 S 0.0 1.2 0:14 spamd
22470 filter 9 0 27036 21M 1776 S 0.0 1.0 0:07 spamd
22570 filter 9 0 27976 22M 1760 S 0.0 1.1 0:06 spamd
23002 filter 9 0 27364 21M 1764 S 0.0 1.0 0:05 spamd
with an uptime of 33 days
It should be simple to setup here's a snippet of my filter.sh:
# Exit codes from <sysexits.h>
EX_TEMPFAIL=75
EX_UNAVAILABLE=69
cd $INSPECT_DIR || { echo $INSPECT_DIR does not exist; exit $EX_TEMPFAIL; }
# Clean up when done or when aborting.
trap "rm -f out.$$" 0 1 2 3 15
# Pipe message through SA to a temp file:
cat | $SPAMC -f -d localhost -p 783 -u filter > out.$$
# Are there more than $SPAMLIMIT stars in X-Spam-Level header? :
if $EGREP -q "^X-Spam-Level: \*{$SPAMLIMIT,}" < out.$$
then
# Option 1: Move high scoring messages to sideline dir so a human can
look at them later:
# mv out.$$ $SIDELINE_DIR
# Option 2: Divert to an alternate e-mail address:
# (Comment out the above, then uncomment next line to use this option)
# $SENDMAIL 137176@xyz.molar.is < out.$$
# Option 3: Delete the message
rm -f out.$$
else
#run through clamav and dump to a directory for further review?
#$CLAMSCAN -v --mbox --unzip=/usr/bin/unzip --move=/tmp/quarentine
-l /var/log/avmail < out.$$
#run through clamav and delete(default)
$CLAMSCAN -v --mbox --unzip=/usr/bin/unzip --remove -l /var/log/avmail
< out.$$
And you can probably set up a better removal tool, in fact i'm embarrased to
show it, as i have the scripting prowess of a speedbump, any offers for a
clean solution to removing the empty emails in a line or two would be HIGHLY
appreciated.
Anthony
On Monday 17 January 2005 05:21 pm, you wrote:
> # rpm -qa | grep clam
> clamav-0.70-1
>
> file_list_6_scanner = 0:2:3:/usr/local/anomy/bin/clamavd.sh %FILENAME
> file_list_6_policy = accept:save:drop:drop
> file_list_6 = (?i)(.*\@.*\.com)$
>
> /usr/local/anomy/bin/clamavd.sh
> #!/bin/sh
>
> # Script for the Sanitizer (procmail filter)
> # Using ClamAV
> # Version: 1.02, Xavier Roche/Serianet
> # Usage: /etc/procmail/clamavd.sh <filename>
> # Returns: "CLEAN : OK" | "VIRUS : <information>" | "ERROR"
> # Exitcode: 0=OK 2=SUSPICIOUS 3=VIRUS
> # This script is under GPL
>
> ###########################################################################
>## #
> # Instructions (copied from e-mail from Xavier by Bjarni):
> #
> # I tested various AV systems (avp, f-prot..) and attached to this mail
> # a simple script which recognizes the four most used av scanners on
> # linux systems (the script can be freely used and spread, of course).
> #
> # The use is simple: check_for_virus <filename>
> # which will return 0 (OK), 2 (warning), or 3 (danger)
> #
> # For example, I use the main policy:
> #
> # file_list_1_scanner = 0:2:3:/etc/procmail/check_for_virus %FILENAME
> # file_list_1_policy = unknown:mangle:save:save
> # file_list_1 = (?i).*
> #
>
> logger -p mail.notice "check $1"
>
> if test -n "$1"; then
> if test -f "$1"; then
>
>
> RET=0
>
> # ClamAV (Clam AntiVirus)
> if test -x /usr/bin/clamdscan; then
> STATUS=
> /usr/bin/clamdscan --quiet "$1"
> RETURNCODE=$?
> if test $RETURNCODE -eq 1; then
> STATUS="virus found"
> RET=3
> fi
> if test -n "$STATUS"; then
> INFO=`/usr/bin/clamdscan --disable-summary --stdout
> "$1"|cut -f2 -d' '`
> logger -i -p mail.notice "virus check for $1: VIRUS FOUND!!
> - $INFO"
> echo "VIRUS : $INFO"
> else
> logger -i -p mail.notice "virus check for $1: ok"
> echo "CLEAN : OK"
> fi
> fi
> exit $RET
>
> fi
> fi
> echo "ERROR"
> exit 0
>
>
> ________________________________
>
> From: Alan Munday [mailto:137213@xyz.molar.is]
> Sent: Mon 1/17/2005 2:35 PM
> To: 137125@xyz.molar.is
> Subject: [anomy-list]: Calling ClamAV
>
>
>
> I'm looking to add ClamAV to my system (RH9) where I have Anomy configured
> with Postfix pretty much as per the Advosys document.
>
> Having done some searching I thought the easiest way to add clamav to the
> system is to use the rpm's produced by Dag Wieers. I'm assuming that I
> would only need to instal clamav-db and clamav rpm's (at least initially).
>
> While I found a couple of references to calling clamav from Anomy they were
> not clear to me. One required editing the sanitizer.pl which I would like
> to clarify as a requirement so I can remember this at upgrade time.
>
> Any how, does anyone have any clear advice on the set-up of Anomy to call
> clamav please?
>
> Thanks
>
> Alan
>
>
>
>
>
>
> Attachments:
> +
> http://mailtools.anomy.net/archives/anomy-list//b6/41/ec5638/01.unnamed.htm
>l
>