[Rspamd-Users] rspamd with clamav and clamav-unofficial-sigs from Sanesecurity
Carsten Rosenberg
cr at ncxs.de
Thu Nov 25 14:47:57 UTC 2021
Hey
On 25.11.21 15:34, G.W. Haywood via Users wrote:
> In addition, the tool which stands between the MTA and the scanner may
> make its own decisions about what to send to the scanner. If you have
> rspamd configured to send only attachments for scanning then I imagine
> that much spam will not be scanned because there is no attachment in a
> lot of spam. Malicious content will _almost_ always be in the form of
> an attachment, but - in addition to hoping that the scanner recognizes
> malicious content when it sees it - you need to be sure the malicious
> party hasn't discovered a way of hiding the attachment from the tool
> which extracts it to send to the scanner. My own milters dismantle
> all MIME messages and check that the structure is correct according to
> the RFCs before scanning each MIME part (the entire mail, not just the
> attachments). If the MIME structure fails the tests, then in my book
> that's a good reason to prevent delivery.
This is configureable in Rspamd.
On Thu, 25 Nov 2021, Andreas Wass - Glas Gasperlmair wrote:
> Here is my /etc/rspamd/local.d/antivirus.conf
> clamav {
> # https://gist.github.com/c-rosenberg/05b6519d1f6ef36903240a3cf1e4e9be
> scan_text_mime = true;
>
> action = "reject";
> scan_mime_parts = true;
> log_clean = true;
> symbol = "CLAM_VIRUS";
> type = "clamav";
> servers = "/var/run/clamav/clamd.ctl";
> }
> does anyone have any advice?
As pointed above I would add the option scan_text_mime = true; as it
will catch also on text parts.
I would add Securiteinfo to Sanesecurity unofficial sigs. But be aware
they also match on Spam and bad HTML/JS. Maybe you dont want to reject
all this instantly.
You could create extra symbols with patters and reject in
force_actions.conf to be more flexible
https://github.com/HeinleinSupport/rspamd-slac-2019/blob/master/etc/rspamd/local.d/antivirus.conf
https://github.com/HeinleinSupport/rspamd-slac-2019/blob/master/etc/rspamd/local.d/antivirus_group.conf
--
Carsten
More information about the Users
mailing list