headers
Arthur Dent | 4 Aug 2011 17:21
Picon
Favicon

Help with filter-flags

OK - You'll have to read on a bit to see the meaning of the subject.

I have used Procmail for several years, but only rarely write recipes. I
always have to get back up the learning curve when I do.

Clamassassin is a program which will invoke clamd scanning of email to
detect virus and (with the additional SaneSecurity signatures) other
malware. I use it in my current mail chain, calling it from Procmail.
The program is no longer in development and has a bug. I have tried to
contact the author without success, and then it occurred to me that I
could recreate the functionality either with a shell script, or directly
from within Procmail.

The functionality provided by Clamassassin, and which I wish to
recreate, is as follows:
1) It should call clamd.
2) It should add a header X-Clamd-Version (eg. "clamassassin 1.2.4 with
clamdscan / ClamAV 0.97.1/13398/Thu Aug  4 03:15:14 2011") to every mail
to show the version of clamd and sigs being used.
3) It should add a header X-Clamd-Status to every mail which will either
be "No" for clean mail, or "Yes" if malware is detected. This will be
used for subsequent filtering.
4) If malware is detected a third header would be added
"X-Clamd-Report:" which will detail the signature found (eg
"X-Clamd-Report: Sanesecurity.Phishing.Bank.15855.UNOFFICIAL FOUND")
5) If there is a problem with clamd (clamd is not running or there is a
SELinux permission problem etc) It will report the error concisely in
the headers.

Item 5 is the bug in the current version of Clamassassin. It will try to
(Continue reading)

Permalink | Reply |
headers
LuKreme | 5 Aug 2011 00:34
Favicon

Re: Help with filter-flags

Arthur Dent <misc.lists <at> blueyonder.co.uk> squaked out on Thu 04-Aug-2011 09:21
> Using Sean's testing sandbox, the recipe below *kind of* works, but

> produces "procmail: Extraneous filter-flag ignored" warnings. I can't
> work out how to get rid of them.

see below.

> Also, I have not yet managed to incorporate the error checking. Can I
> have a brace within a brace as in my pseudocode?

I would check if clamd is running first, then proceed only if it is.

CLAMRUN=`ps -Uroot -co command | grep "\bclamd\b"`

:0
* CLAMRUN ?? clamd
{

# Your existing recipes, with some fixes

}

> CLAMDSCAN=/usr/bin/clamdscan
> CLAMDVERS=`${CLAMDSCAN} -V --stdout`
> 
> :0
> VIRUS=|${CLAMDSCAN} --no-summary --stdout -
> 
> :0fw
(Continue reading)

Permalink | Reply |
headers
Arthur Dent | 5 Aug 2011 10:21
Picon
Favicon

Re: Help with filter-flags

On Thu, 2011-08-04 at 16:34 -0600, LuKreme wrote:
> Arthur Dent <misc.lists <at> blueyonder.co.uk> squaked out on Thu 04-Aug-2011 09:21
> > 
> 
> I would check if clamd is running first, then proceed only if it is.
> 
> CLAMRUN=`ps -Uroot -co command | grep "\bclamd\b"`
> 
> :0
> * CLAMRUN ?? clamd
> {
> 
> # Your existing recipes, with some fixes
> 
> }

Hi LuKreme,

This was my first idea too. Unfortunately there are other error cases I
want to catch as well as just the situation where clamd is simply not
running. For example, (this is a Fedora box) SELinux will prevent
Procmail accessing clamd even though clamd is running just fine. This
will produce an error along the lines of:
"ERROR: Can't connect to clamd: Permission denied". Another error I have
encountered is:
"ERROR: Can't connect to clamd: No such file or directory"

I want to trap these errors and report them in the headers for further
investigation.
(Continue reading)

Permalink | Reply |
headers
Robert Bonomi | 5 Aug 2011 14:27

Re: Help with filter-flags


> Subject: Re: Help with filter-flags
> From: Arthur Dent <misc.lists <at> blueyonder.co.uk>
> To: procmail <at> lists.RWTH-Aachen.de
> Date: Fri, 05 Aug 2011 09:21:58 +0100
>
> On Thu, 2011-08-04 at 16:34 -0600, LuKreme wrote:
> > Arthur Dent <misc.lists <at> blueyonder.co.uk> squaked out on Thu 04-Aug-2011 =
> 09:21
> > >=20
> >=20
> > I would check if clamd is running first, then proceed only if it is.
> >=20
> > CLAMRUN=3D`ps -Uroot -co command | grep "\bclamd\b"`
> >=20
> > :0
> > * CLAMRUN ?? clamd
> > {
> >=20
> > # Your existing recipes, with some fixes
> >=20
> > }
>
> Hi LuKreme,
>
> This was my first idea too. Unfortunately there are other error cases I
> want to catch as well as just the situation where clamd is simply not
> running. For example, (this is a Fedora box) SELinux will prevent
> Procmail accessing clamd even though clamd is running just fine. This
> will produce an error along the lines of:
(Continue reading)

Permalink | Reply |
headers
Arthur Dent | 5 Aug 2011 15:06
Picon
Favicon

Re: Help with filter-flags

On Fri, 2011-08-05 at 07:27 -0500, Robert Bonomi wrote:

> You apparently don't have a clear understanding of how procmail
works. :)

OK - Ill admit that! :-)

> 
> "Re-order", and simplify the logic as:
>     IF (clamd error)
>     {
>     	mark up headers to show clamd error
>     }
>     ELSE
>     {
>  	mark up headers
>     	IF (malware detected)
>     	  deliver message to MALWARE folder
>     }
>     ##  reach here if clamd failed *or* it worked _and_ there was no malware

OK that makes sense. I did try that earlier in my experiments, but
couldn't get it to work. I'll try again.

> > In this recipe (in production) there will be only one case where the
> > mail is actually delivered.
> >
> > I don't know how to exit a procmail recipe and allow it to return to the
> > calling recipe. I have seen the SWITCHRC command - but I don't think
> > that is what I want here.
(Continue reading)

Permalink | Reply |
headers
Arthur Dent | 5 Aug 2011 17:01
Picon
Favicon

Re: Help with filter-flags

OK, with the help of the good folks of this list I have produced this
version of my clamd.rc

My testing seems to indicate that it works. I have tried it with a good
message and with a malware infected one, with clamd running and with it
stopped, with a manufactured SELinux problem and without. It seems to
perform as expected in all those cases.

I post it in full here in the hope that the experts here can reassure me
that my poor knowledge of procmail has not left any gaping holes or
errors that will come back and bite me later...

Thanks again..

Mark

#################################################
#
# clamd.rc
#
# Clamd recipe Version 0.3
#
# Scan for viruses & malware
#

CLAMDSCAN=/usr/bin/clamdscan
CLAMDVERS=`${CLAMDSCAN} -V --stdout`

VIRUS=`${CLAMDSCAN} --no-summary --stdout -`
# If clamd is not running or there is another error:
(Continue reading)

Permalink | Reply |
headers
LuKreme | 5 Aug 2011 17:49
Favicon

Re: Help with filter-flags

Arthur Dent <misc.lists <at> blueyonder.co.uk> squaked out on Fri 05-Aug-2011 02:21
> 		return to calling recipe <--- NEEDS TO EXIT HERE!

SWITCHRC on a line by itself will return to the calling recipe.

> I don't know how to exit a procmail recipe and allow it to return to the
> calling recipe. I have seen the SWITCHRC command - but I don't think
> that is what I want here.

Yep, it is.

for example, in my list processing file I have the following:

:0
* LISTNAME ?? macosx
{
   LISTNAME=macosx
   SWITCHRC=$HOME/.boxcarrc
   SWITCHRC
}

Which means: 
	if the LISTNAME variable contains macosx then set the LISTNAME to macosx 
 	load the recipes in $HOME/.boxcarrc
	exit the current file

--

-- 
and I lift my glass to the Awful Truth / which you can't reveal to the
Ears of Youth / except to say it isn't worth a dime
(Continue reading)

Permalink | Reply |
headers
Arthur Dent | 5 Aug 2011 10:28
Picon
Favicon

Re: Help with filter-flags

Robert Bonomi sent me a very helpful and informative reply off-list and
included an amended version of my recipe which worked beautifully.

For some reason my reply to Robert has bounced, so I would like to thank
Robert publicly, as ask him if I might re-post his reply here on-list.

I have yet to get the error checking part of the recipe working.

Thanks!

Mark


____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail <at> lists.RWTH-Aachen.de
http://mailman.rwth-aachen.de/mailman/listinfo/procmail
Permalink | Reply |

Gmane