[Rspamd-Users] clam antivirus, pattern and rejection
Simone Lazzaris
simone.lazzaris at qcom.it
Mon Nov 4 14:02:36 UTC 2019
Hi all;
rspamd 2.0 here.
I'm not able to configure rspamd to immediatly reject messages containing a virus according
to clamav (CLAM_VIRUS symbol), with an appropriate SMTP message BUT not reject (and
keep analyzing) messages containing a "clam-related" symbol (such as
CLAM_HEUR_OLE2_VBA_MACRO).
My relevant configuration snippet is:
local.d/antivirus.conf:
clamav {
scan_mime_parts = true;
scan_text_mime = true;
symbol = "CLAM_VIRUS";
type = "clamav";
servers = "/run/clamav/clamd.ctl";
patterns {
CLAM_HEUR_OLE2_VBA_MACRO = "^Heuristics\.OLE2\.ContainsMacros$";
}
}
local.d/antivirus_group.conf:
symbols = {
"CLAM_VIRUS" {
weight = 30;
description = "ClamAV found a Virus";
}
"CLAM_HEUR_OLE2_VBA_MACRO" {
weight = 4.0
description = "CLAM_HEUR_OLE2_VBA_MACRO triggered";
}
}
My setup works but only because I've given an high weight to CLAM_VIRUS, and the SMTP
message is always "Spam message rejected" (event with a virus!). I'd like to give (and log, for
statistics) the correct SMTP message when a virus is found.
I've fiddled with the force_actions module but with no success:
local.d/force_actions.conf:
rules {
CLAMAV_REJECT {
action = "reject";
expression = "CLAM_VIRUS & !CLAM_HEUR_OLE2_VBA_MACRO & !
CLAM_VIRUS_FAIL";
message = '${SCANNER}: virus found: "${VIRUS}"';
}
}
*Simone Lazzaris*
*Qcom S.p.A.*
simone.lazzaris at qcom.it[1] | www.qcom.it[2]
* LinkedIn[3]* | *Facebook*[4]
--------
[1] mailto:simone.lazzaris at qcom.it
[2] https://www.qcom.it
[3] https://www.linkedin.com/company/qcom-spa
[4] http://www.facebook.com/qcomspa
More information about the Users
mailing list