folks: here is a tool to split up mailboxes (like those used by thunderbird) and scan the mails individually. there is another similar tool using perl in the archives, but this only uses bash commands, formail, and clamscan.
here was the problem i had: running clamscan, the entire mailbox file was tagged as infected, and no indication of which message in the mailbox file it actually was. there was some info in a faq, but it was not much help. this tool was written to help split up the mail files and scan them individually. this tool should run on most any linux system with the 'formail' utility (part of the procmail suite) and split the mailbox up, scan each message, and give you a filename of the message(s) with the problem. The incoming mbox file is not modified by this tool. you can then go look at the text of the mail with the problems and take whatever action you need to. for example, based on the 'from' or the subject field find and delete the offending message from the mailbox using your mailreader, re-compact the folders, and re-scan. the tool has some limitations, so read the comments carefully. the tool needs a temporary directory for the split up emails. by default the code will not cleanup from previous runs. that is up to you. be sure and do so, or the mail files will linger around, and may cause confusion in subsequent runs. once you have some experience with the tool you can turn on the feature to clean the temp directory before each run. review the settings carefully and be sure you know what you are doing before you launch off and start mucking about... once you get some experience then you can change the -i option in the rm command to a -f to not have all those annoying confirmations. warning - if you are not careful with how you set the $TMP_SCANDIR variable, the rm -rvf $TMP_SCANDIR line can damage your system. be sure you know what you are doing with this... having said that - hope this is useful to folks. clip the file below and save as scan_mbox.sh, review the settings in the code, set the permissions to allow execute, and enjoy. r. --------------------------clip below here----------------------- #!/bin/bash #################################################################################### # Mailbox file split and scan tool. # splits up mbox files (like kept by thunderbird) into individual messages # and scans them one by one with clamscan, with a summary of problems found. # Intended to be used to find out which message in a mbox collection of messages # is the problem child. (i.e. is responsible for clamscan tagging the mbox file # as infected) # # call with the name of the mailbox to split up and scan in parts. # creates numbered files in the directory referred to in the TMP_SCANDIR variable, # # version 1.0, 8.22.2006, REG, original version # version 1.1, 8.23.2006, REG, modified to work when mbox splits into 1000's # of files (tested on a case where the mbox split to 20000 files...) # version 1.2, 8.26.2006, REG more testing, more comments, and notes on # limitations. added -d option to formail. added checks for formail and # clamscan prior to use # # notes: # requires the formail program, part of the procmail system... # will probably break if over 999999 files are split out of the mailbox # limitations: # seems to have problems splitting some mailbox files up... # can't handle a path with a blank space in it... # workaround is to simply copy the file somewhere else first then run the tool # on the file in the new location. # # Copyright (C) 2006, r. gritzo, gritzo at # jerichodata then a dot then com # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details at # http://www.gnu.org/copyleft/gpl.html # #################################################################################### # set these settings up to suit... # !!! Note - if CLEAN_TMP_DIR is set this directory is wiped clean during the run !!! # !!! DO NOT set this to any directory that has something useful in it or to a toplevel # directory, or it will be purged. you have been warned.... TMP_SCANDIR=~/tmp_scandir TMP_EXT=mtxt CLEAN_TMP_DIR=0 # 0 means don't clean the tmp_scan dir first, 1 means do # probably don't need to change this CLAMSCAN=/usr/bin/clamscan FORMAIL=/usr/bin/formail # nothing below here needs normally needs to be changed.... # check to see if everything we need is here... if [ ! -x $FORMAIL ]; then echo "Error - formail executeable $FORMAIL not found." exit 1 fi if [ ! -x $CLAMSCAN ]; then echo "Error - clamscan executeable $CLAMSCAN not found." exit 1 fi if [ $# -ne 1 ]; then echo -e "Useage: ./scan_mbox.sh <mailbox_file>" echo -e "\tNote: the <mailbox_file> needs to be the full path to the mailbox file," echo -e "\t for example /home/user/.thunderbird/default/Mail/mailserver/Trash" if [ $CLEAN_TMP_DIR -eq 1 ]; then echo -e "\t\t!!! will clean out the $TMP_SCANDIR directory prior to each run !!!" else echo -e -n "\t\t!!! will NOT clean out the $TMP_SCANDIR directory before running," echo -e " will overwrite existing files !!!" fi exit 2 fi DATE=`date` echo "starting scan_mbox.sh version 1.2 at $DATE" # cleanup the tmp-scandir if needed if [ $CLEAN_TMP_DIR -eq 1 ]; then echo "Cleaning up any files from the previous runs..." # change the -i to a -f below to bypass the need for confirmations... rm -i -rv $TMP_SCANDIR fi # create or re-create the tmpdir echo "Creating (if needed) the TMP_SCANDIR location $TMP_SCANDIR..." mkdir -pv $TMP_SCANDIR # set the FILENO variable and export so formail will update it... FILENO=000000 export FILENO export TMP_SCANDIR export TMP_EXT echo "Extracting individual mail files from $1..." $FORMAIL -d -s sh -c 'cat - >$TMP_SCANDIR/$FILENO.$TMP_EXT' <$1 # this is a klugey but workable way to do this if there are lots of files (like 10000 or more) echo "Counting up the new files in $TMP_SCANDIR..." NEWF=000000; I=0; while [ -e $TMP_SCANDIR/$NEWF.$TMP_EXT ] do I=$((I+1)); NEWF=`printf "%06d" $I` done LASTFILE=`printf "%06d" $((I-1))` echo "Split $1 into files 000000.$TMP_EXT thru $LASTFILE.$TMP_EXT..." echo "Starting the clamscan phase...." echo "Note any following clamscan messages:" $CLAMSCAN -ri $TMP_SCANDIR echo -e "\nExamine any files listed above for content, sender, etc. and delete from your mailfolder." echo -e "You should compact the folder after deleting the suspect message." echo -e "\tNote: Be sure and delete the files in $TMP_SCANDIR when you are finished working with them..." echo "Done." exit 0 --------------------------clip above here----------------------- _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
