[Rspamd-Users] rspamd with clamav and clamav-unofficial-sigs from Sanesecurity

Carsten Rosenberg cr at ncxs.de
Thu Nov 25 14:47:57 UTC 2021


On 25.11.21 15:34, G.W. Haywood via Users wrote:
> In addition, the tool which stands between the MTA and the scanner may
> make its own decisions about what to send to the scanner.  If you have
> rspamd configured to send only attachments for scanning then I imagine
> that much spam will not be scanned because there is no attachment in a
> lot of spam.  Malicious content will _almost_ always be in the form of
> an attachment, but - in addition to hoping that the scanner recognizes
> malicious content when it sees it - you need to be sure the malicious
> party hasn't discovered a way of hiding the attachment from the tool
> which extracts it to send to the scanner.  My own milters dismantle
> all MIME messages and check that the structure is correct according to
> the RFCs before scanning each MIME part (the entire mail, not just the
> attachments).  If the MIME structure fails the tests, then in my book
> that's a good reason to prevent delivery.

This is configureable in Rspamd.

On Thu, 25 Nov 2021, Andreas Wass - Glas Gasperlmair wrote:
> Here is my /etc/rspamd/local.d/antivirus.conf
> clamav {
>  # https://gist.github.com/c-rosenberg/05b6519d1f6ef36903240a3cf1e4e9be
>  scan_text_mime = true;
>  action = "reject";
>  scan_mime_parts = true;
>  log_clean = true;
>  symbol = "CLAM_VIRUS";
>  type = "clamav";
>  servers = "/var/run/clamav/clamd.ctl";
> }
> does anyone have any advice? 

As pointed above I would add the option scan_text_mime = true; as it 
will catch also on text parts.

I would add Securiteinfo to Sanesecurity unofficial sigs. But be aware 
they also match on Spam and bad HTML/JS. Maybe you dont want to reject 
all this instantly.

You could create extra symbols with patters and reject in 
force_actions.conf to be more flexible




More information about the Users mailing list