Re: [Clamav-users] How to disinfect an mbox file?
Quoting Bill Randle [EMAIL PROTECTED]: On Thu, 2004-06-17 at 19:16, Michael D. Crawford wrote: I think the virus that's assaulting me is what this page calls the PE_ZAFI.B virus: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_ZAFI.BVSect=T The clamav database lists a virus called Worm.Zafi.B. I'm still working on downloading my mailbox. I copied it to my home directory at my hosting service, then truncated my mail spool file so I wouldn't fill up the filesystem. My spool file had grown to 1.2 gigabytes in three days. After I truncated my spool file, I was able to open it in elm for a little while before elm was unable to keep up and quit. In the space of five minutes or so I received 417 messages. Elm crapped out when the spool file had about 2000 messages in it. As an interesting aside, the Zafi worm also ignores DNS MX records and goes straight for final destination if it can. We have a postfix/amavisd/clamav/spamassassin filter box that fronts the main server which contains user mailboxes. The main server kept getting all these Zafi infected mails coming in, and it took me a bit to realize they were bypassing the filter box entirely. I ended up putting an access rule in the main gateway router to block incoming smtp to everything except the filter box and that's stopped it. Its also interesting to note that even before clamav detected zafi it was being blocked by qmail-scanner: Jun 15 12:25:19 external qmail-scanner[29017]: Policy:Bad_MIME_Break:RC:0(24.188.90.209):SA:1(10.5/5.0): 2.184665 18140 [EMAIL PROTECTED] [EMAIL PROTECTED] Larsen_Family [EMAIL PROTECTED] mycalendar.com It seems virus writers cant get the mime parts correct...what a suprise. Turns out its also spam with a score of 10.5. Its amazing how widespread it is keeping all this in mind. Jim --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disinfect an mbox file?
On Friday 18 June 2004 06:29 am, Jim Maul wrote: Its also interesting to note that even before clamav detected zafi it was being blocked by qmail-scanner: Jun 15 12:25:19 external qmail-scanner[29017]: Policy:Bad_MIME_Break:RC:0(24.188.90.209):SA:1(10.5/5.0): 2.184665 18140 [EMAIL PROTECTED] [EMAIL PROTECTED] Larsen_Family [EMAIL PROTECTED] mycalendar.com It seems virus writers cant get the mime parts correct...what a suprise. I've gotten hundreds of virii to [EMAIL PROTECTED] (aka, different message IDs of mine from mailing list posts) from Worm.Bagle.* (with .gen-vbs probably being the top one) amazing that virus actually got anywhere as well, since, even if my virus scanner didn't catch it, it never would have been delivered to me :) -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 847.492.0470 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disinfect an mbox file?
I've been using formail, procmail and clamav to disinect a 200 MB mailbox, and since last night it's only processed 80 MB of mail so far. It's a 350 Mhz box that I'm running it on, and clamav must be pretty CPU intensive. Somebody tipped me off to the following procmail config, which filters on the Subject lines that the zafi virus uses, and is pretty fast. In just a few minutes I've saved 26 MB of non-zafi-infected email, although much of what remains has other viruses and a bunch of German language spam that I understand was meant to influence the recent elections in Germany. Using clamav to filter the viruses that remain in my mailbox won't be so bad. Here's the command line I used. 18jun2004.mbx is a copy of my mail spool file that I made. After copying it I truncated my mail spool. I emailed the following info to my hosting service sysadmin so hopefully it can get set up to filter the mail before I see it: formail -s procmail -m ./zafi-kill.rc ../18jun2004.mbx Here's zafi-kill.rc: :0 * ^Subject:.*Check this out kid { :0 /dev/null } :0 * ^Subject:.*You`ve got 1 VoiceMessage { :0 /dev/null } :0 * ^Subject:.*Don`t worry, be happy { :0 /dev/null } :0 * ^Subject:.*Jennifer { :0 /dev/null } :0 * ^Subject:.*David { :0 /dev/null } :0 GoodMail I tested this at first with /dev/null replaced with VirusMail, and found that it successfully got all the zafi-infected messages into the VirusMail file. The command just finished running. I ran it at my hosting service. I don't know how fast the machine is, but it took ten or fifteen minutes to process a 429 megabyte file, with the GoodMail file now being 27 MB. Thanks for all your help! Mike Crawford [EMAIL PROTECTED] Tilting at Windmills for a Better Tomorrow. __ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disinfect an mbox file?
On Fri, 18 Jun 2004 at 15:08:32 -0700, Michael D. Crawford wrote: I've been using formail, procmail and clamav to disinect a 200 MB mailbox, and since last night it's only processed 80 MB of mail so far. It's a 350 Mhz That's a very slow progress! I suspect you use clamscan. So clamscan is called to scan every single message (a maildir file), the database is loaded into memory and so on. It's not a optimum way of using ClamAV. To scan all these messages quicker you can use 2 approaches: 1) transform all the mailbox into maildir and _after then_ run clamscan one time against all the maildir (not one time for every message), or 2) scan messages in the fly (while converting) - scan them with clamdscan (not clamscan). In this method a user running clamd must have access to the scanned maildir of course (the user calling clamdscan doesn't matter). Be sure to have ScanMail enabled in clamav.conf. box that I'm running it on, and clamav must be pretty CPU intensive. [...] -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disinfect an mbox file?
Somebody yesterday said to use formail to convert maildirs back to mbox format. I've looked at the formail man page and I can't figure out how to do it. Can you tell me? I've successfully used a tool called yammc.pl to convert my mailboxes to maildir. There are several programs that claim to do it, but most of them had some trouble, either they complained my mailbox was corrupt, or they aborted with some error message part way through. Mike [EMAIL PROTECTED] Tilting at Windmills for a Better Tomorrow. __ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disinfect an mbox file?
On Thu, 17 Jun 2004, Michael D. Crawford wrote: Somebody yesterday said to use formail to convert maildirs back to mbox format. I've looked at the formail man page and I can't figure out how to do it. May I humbly re-suggest my method posted April 8 ? cat mbox | formail -s procmail -m ./Clam.rc Where Clam.rc is: # Start of RC file # VIRUS=`/usr/local/bin/clamdscan --mbox --disable-summary --stdout -` :0 Di * VIRUS ?? FOUND VirusMail :0 GoodMail # End of file Replace paths as needed, replace clamdscan with clamscan if appropriate, etc. Far simpler I do believe. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disinfect an mbox file?
I think the virus that's assaulting me is what this page calls the PE_ZAFI.B virus: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_ZAFI.BVSect=T The clamav database lists a virus called Worm.Zafi.B. I'm still working on downloading my mailbox. I copied it to my home directory at my hosting service, then truncated my mail spool file so I wouldn't fill up the filesystem. My spool file had grown to 1.2 gigabytes in three days. After I truncated my spool file, I was able to open it in elm for a little while before elm was unable to keep up and quit. In the space of five minutes or so I received 417 messages. Elm crapped out when the spool file had about 2000 messages in it. Mike Crawford [EMAIL PROTECTED] Tilting at Windmills for a Better Tomorrow. __ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disinfect an mbox file?
On Thu, 2004-06-17 at 19:16, Michael D. Crawford wrote: I think the virus that's assaulting me is what this page calls the PE_ZAFI.B virus: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_ZAFI.BVSect=T The clamav database lists a virus called Worm.Zafi.B. I'm still working on downloading my mailbox. I copied it to my home directory at my hosting service, then truncated my mail spool file so I wouldn't fill up the filesystem. My spool file had grown to 1.2 gigabytes in three days. After I truncated my spool file, I was able to open it in elm for a little while before elm was unable to keep up and quit. In the space of five minutes or so I received 417 messages. Elm crapped out when the spool file had about 2000 messages in it. As an interesting aside, the Zafi worm also ignores DNS MX records and goes straight for final destination if it can. We have a postfix/amavisd/clamav/spamassassin filter box that fronts the main server which contains user mailboxes. The main server kept getting all these Zafi infected mails coming in, and it took me a bit to realize they were bypassing the filter box entirely. I ended up putting an access rule in the main gateway router to block incoming smtp to everything except the filter box and that's stopped it. -Bill --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disinfect an mbox file?
Quoting Michael D. Crawford [EMAIL PROTECTED]: In the last two days I have received five hundred megabytes of spam. I'm pretty sure it's mostly viruses. I'd like to find a way to delete individual virus-infected messages from my mailbox, but the clamscan --mbox command stops scanning upon finding the first virus, and if I use the --remove option it deletes the entire mailbox rather than an individual message. Fortunately, I tested with a copy of my mailbox. I read in the FAQ that you don't have an option to disinfect files, only to report on or delete them. I would think it wouldn't be too hard to disinfect a mailbox file though. What I think would work would be to unpack my mailbox file into a directory of individual messages, one in each file, and use clamscan --mbox --remove on that directory, and then collect all the messages back into an individual mailbox file. This is a good reason to use maildirs. Jim --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disinfect an mbox file?
On Wed, 16 Jun 2004 at 7:40:38 -0700, Michael D. Crawford wrote: [...] What I think would work would be to unpack my mailbox file into a directory of individual messages, one in each file, and use clamscan --mbox --remove on that directory, and then collect all the messages back into an individual mailbox file. Would that be advisable, and if so, do you know some Linux software that could do it? There are scripts for changing the format of mailbox from mailbox to maildir. E.g. check the page Converting Mbox mailboxes to Maildir format at http://batleth.sapienti-sat.org/projects/mb2md/ , find for mbox2maildir and maildir2mbox scripts at google etc. You can also convert mailbox (in both directions) with mutt itself! You can create (even manually) some maildir-type folder, e.g.: $ ls -l Maildir-test drwx-- Jun 16 17:02 cur/ drwx-- Jun 16 17:02 new/ drwx-- Jun 16 17:02 tmp/ Then read the wanted mailbox with mutt, select messages which you want and save them into Maildir-test folder. Mutt will recognise that the folder is in maildir-type and convert the messages while saving. After cleaning the folder you can save it back to some mailbox-type folder, thus converting them to mailbox-type. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disinfect an mbox file?
On Wed, 16 Jun 2004, Michael D. Crawford wrote: I'd like to find a way to delete individual virus-infected messages from my mailbox, but the formail / procmail . I sent a detailed method for doing this to the list in the begining of April, check the archives. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disinfect an mbox file?
On Wed, Jun 16, 2004 at 07:40:38AM -0700, Michael D. Crawford wrote: What I think would work would be to unpack my mailbox file into a directory of individual messages, one in each file, and use clamscan --mbox --remove on that directory, and then collect all the messages back into an individual mailbox file. Would that be advisable, and if so, do you know some Linux software that could do it? mbox2mdir to unpack them into maildir format. formail to repack to mbox format. -- Noel Jones --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disinfect an mbox file?
Jim Maul wrote: Quoting Michael D. Crawford [EMAIL PROTECTED]: In the last two days I have received five hundred megabytes of spam. I'm pretty sure it's mostly viruses. I'd like to find a way to delete individual virus-infected messages from my mailbox, but the clamscan --mbox command stops scanning upon finding the first virus, and if I use the --remove option it deletes the entire mailbox rather than an individual message. Fortunately, I tested with a copy of my mailbox. I read in the FAQ that you don't have an option to disinfect files, only to report on or delete them. I would think it wouldn't be too hard to disinfect a mailbox file though. What I think would work would be to unpack my mailbox file into a directory of individual messages, one in each file, and use clamscan --mbox --remove on that directory, and then collect all the messages back into an individual mailbox file. This is a good reason to use maildirs. Jim --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users Oh, come on! This is just shortcoming of ClamAV. Why have a --mbox option if you can't identify the infected email?! RAV did this better. Bert --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disinfect an mbox file?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wednesday 16 June 2004 11:09 am, Bert Koelewijn wrote: Oh, come on! This is just shortcoming of ClamAV. Why have a --mbox option if you can't identify the infected email?! RAV did this better. The idea wasn't to do an entire file, it was to do individual files as they came in via a mail server.. - -- This message stops at all railroad crossings. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA0HXqld4MRA3gEwYRArpEAJ9O4LwcQsdA2X3mhoGeTZ+7qpHpQQCdGdVI SDAoStVYnb0t28a2Xvfj12o= =mBiM -END PGP SIGNATURE- --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disinfect an mbox file?
This is a good reason to use maildirs. Jim Oh, come on! This is just shortcoming of ClamAV. Why have a --mbox option if you can't identify the infected email?! RAV did this better. Bert So? Last time I checked RAV wasn't exactly free. If it's not done in CVS yet then I suppose it might get done at some point. This is open source so I bet you're free to submit code which does exactly what you describe. At the very least you could alter the code to fix it for your own use. Compared to commercial products Clamav looks pretty good to me. FWIW, I would go for a solution with procmail :-) B. --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disinfect an mbox file?
Quoting B. van Ouwerkerk [EMAIL PROTECTED]: This is a good reason to use maildirs. Jim Oh, come on! This is just shortcoming of ClamAV. Why have a --mbox option if you can't identify the infected email?! RAV did this better. Bert So? Last time I checked RAV wasn't exactly free. If it's not done in CVS yet then I suppose it might get done at some point. This is open source so I bet you're free to submit code which does exactly what you describe. At the very least you could alter the code to fix it for your own use. Compared to commercial products Clamav looks pretty good to me. FWIW, I would go for a solution with procmail :-) Just curious, if clamav was running on the server, how did the infected message get into the mbox in the first place? Jim --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disinfect an mbox file?
I read in the FAQ that you don't have an option to disinfect files, only to report on or delete them. I would think it wouldn't be too hard to disinfect a mailbox file though. This might help clean out your mailbox. cc -o clamfilter clamfilter.c mv /var/mail/mybox mybox ./clamfilter mybox goodmail badmail cat goodmail /var/mail/mybox (not 100% safe on mailbox locking, you might prefer to load the output into mail and then save it from there to take advantage of /usr/bin/mail's locking) G -- #include stdio.h #include stdlib.h #include assert.h #include string.h #ifndef TRUE #define TRUE (0==0) #define FALSE (!TRUE) #endif static int suppress_output = (0!=0); int is_infected(char *command) { FILE *clam = popen(command, r); if (clam == NULL) return(0==1); fprintf(stderr, Command: %s\n, command); if (clam != NULL) { int rc, c, lastc = -1; int suppress_output = (0==0); char result[129]; char *answer = result; result[128] = '\0'; for (;;) { // return info is on first line c = fgetc(clam); if (c == EOF) break; if (c == '\n') break; if (!suppress_output) *answer++ = c; if (c == ' ' lastc == ':') suppress_output = (0!=0); lastc = c; } *answer = '\0'; if (c != EOF) { // drain for (;;) { c = fgetc(clam); if (c == EOF) break; } } pclose(clam); if (strcmp(result, OK) == 0) { // clean. return(FALSE); } if (strcmp(result+strlen(result)-strlen( FOUND), FOUND) == 0) { // clean. // fprintf(stdout, X-ClamAV: %s\n, result); return(TRUE); } } return (FALSE); } void pushchar(int c, FILE *mailfile) { fputc(c, mailfile); } int main(int argc, char **argv) { int c; FILE *infile, *goodfile, *badfile, *mailfile; #define shufflebuff {int i; for (i = 0; i 6; i++) buff[i] = buff[i+1];} static char buff[8]; char tmpbuff[129]; char filename[129]; static char *From = \n\nFrom ; char *savedname; tmpbuff[128] = '\0'; if (argc != 4) { fprintf(stderr, syntax: %s mailfile goodfile badfile\n, argv[0]); exit(1); } infile = fopen(argv[1], r); if (infile == NULL) { fprintf(stderr, %s: cannot open %s\n, argv[0], argv[1]); exit(0); } buff[7] = '\0'; c = fgetc(infile); buff[0] = c; if (c == EOF) { fprintf(stderr, %s: input file %s is empty\n, argv[0], argv[1]); } c = fgetc(infile); buff[1] = c; assert (c != EOF); c = fgetc(infile); buff[2] = c; assert (c != EOF); c = fgetc(infile); buff[3] = c; assert (c != EOF); c = fgetc(infile); buff[4] = c; assert (c != EOF); c = fgetc(infile); buff[5] = c; assert (c != EOF); c = fgetc(infile); buff[6] = c; assert (c != EOF); for (;;) { mailfile = fopen(savedname = strdup(tmpnam(NULL)), w); for (;;) { if (strcmp(buff, From) == 0) { /* flush last file, start this file */ pushchar(buff[0], mailfile); shufflebuff; c = fgetc(infile); buff[6] = c255; if (c == EOF) { } else pushchar(buff[0], mailfile); shufflebuff; c = fgetc(infile); buff[6] = c255; if (c == EOF) { /* shouldn't happen unless mailbox is corrupt */ break; } /* Buff is now From */ fclose(mailfile); sprintf(tmpbuff, /usr/local/bin/clamscan --mbox --stdout %s, savedname); sprintf(filename, /bin/cat %s %s, savedname, (is_infected(tmpbuff) ? argv[3] : argv[2])); fprintf(stderr, Executing: %s\n, filename); system(filename); remove(savedname); free(savedname); mailfile = fopen(savedname = strdup(tmpnam(NULL)), w); } else { pushchar(buff[0], mailfile); shufflebuff; c = fgetc(infile); if (c == EOF) { /* Flush */ pushchar(buff[0], mailfile); shufflebuff; pushchar(buff[0], mailfile); shufflebuff; pushchar(buff[0], mailfile); shufflebuff; pushchar(buff[0], mailfile); shufflebuff; pushchar(buff[0], mailfile); shufflebuff; pushchar(buff[0], mailfile); shufflebuff; pushchar(buff[0], mailfile); shufflebuff; fclose(mailfile); sprintf(tmpbuff, /usr/local/bin/clamscan --stdout --mbox %s, savedname); sprintf(filename, /bin/cat %s %s, savedname, (is_infected(tmpbuff) ? argv[3] : argv[2])); fprintf(stderr, Executing: %s\n, filename); system(filename); remove(savedname); free(savedname); mailfile = fopen(savedname = strdup(tmpnam(NULL)), w); exit(0); } buff[6] = c255; } } } fclose(mailfile); sprintf(tmpbuff, /usr/local/bin/clamscan --stdout --mbox %s, savedname); sprintf(filename, /bin/cat %s %s, savedname, (is_infected(tmpbuff) ? argv[3] : argv[2])); fprintf(stderr, Executing: %s\n, filename); system(filename); remove(savedname); free(savedname); exit(0); return(0); }
Re: [Clamav-users] How to disinfect an mbox file?
FWIW, I would go for a solution with procmail :-) Just curious, if clamav was running on the server, how did the infected message get into the mbox in the first place? Jim Clamav is not the same as clamav-milter :) so if someone prefers not to use milter or whatever to get viri before they hit the users mailbox they get the mail into the mailbox. I'm running clamav-milter and find it s cool.. B. --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disinfect an mbox file?
B. van Ouwerkerk wrote: This is a good reason to use maildirs. Jim Oh, come on! This is just shortcoming of ClamAV. Why have a --mbox option if you can't identify the infected email?! RAV did this better. Bert So? Last time I checked RAV wasn't exactly free. If it's not done in CVS yet then I suppose it might get done at some point. This is open source so I bet you're free to submit code which does exactly what you describe. At the very least you could alter the code to fix it for your own use. Compared to commercial products Clamav looks pretty good to me. FWIW, I would go for a solution with procmail :-) B. You can't check anymore, because RAV is now Microsoft... That's how I found ClamAV and I agree, it's pretty, compared to the commercial products. Gegroet, Bert --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disinfect an mbox file?
Quoting B. van Ouwerkerk [EMAIL PROTECTED]: FWIW, I would go for a solution with procmail :-) Just curious, if clamav was running on the server, how did the infected message get into the mbox in the first place? Jim Clamav is not the same as clamav-milter :) so if someone prefers not to use milter or whatever to get viri before they hit the users mailbox they get the mail into the mailbox. I'm running clamav-milter and find it s cool.. Ah...im running qmail so there is no milter. All this milter talk is so foreign to me. I like my qmail w/qmail-scanner. Jim --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disinfect an mbox file?
Bert Koelewijn wrote: B. van Ouwerkerk wrote: This is a good reason to use maildirs. Jim Oh, come on! This is just shortcoming of ClamAV. Why have a --mbox option if you can't identify the infected email?! RAV did this better. Bert So? Last time I checked RAV wasn't exactly free. If it's not done in CVS yet then I suppose it might get done at some point. This is open source so I bet you're free to submit code which does exactly what you describe. At the very least you could alter the code to fix it for your own use. Compared to commercial products Clamav looks pretty good to me. FWIW, I would go for a solution with procmail :-) B. You can't check anymore, because RAV is now Microsoft... That's how I found ClamAV and I agree, it's pretty, compared to the commercial products. Gegroet, Bert Not only can you not buy it anymore, it's really no better than ClamAV at detecting viruses. We have used RAV for several years and it is still running (until it expires next month) as a cross check after Clam. So far in a couple of months of monitoring, there was only one virus that RAV detected that Clam didn't. That was an old W97 macro virus when we had an older version of Clam. Current versions of ClamAV would probably catch it. -Bill --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disinfect an mbox file?
Just curious, if clamav was running on the server, how did the infected message get into the mbox in the first place? I've experienced this problem before when a new worm hits before Clam has can detect it. Usually no more than a few infected messages get through before Clam catches up. I'd be happy if the output more clearly identified the message in which the infection was discovered, even if it stopped after seeing the first one. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disinfect an mbox file?
The viruses seem to be addressed to all the permutations of the alphabet in the username, with the domain always being goingware.com. Perhaps this was meant to deliver the virus all to different people, instead my personal email is being DOSed by this virus. Ask your hosting provider (or do it yourself if possible) to use only the aliases you use. You might even be able to create something in procmail (if it's supported). B. --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disinfect an mbox file?
Clamav is not the same as clamav-milter :) so if someone prefers not to use milter or whatever to get viri before they hit the users mailbox they get the mail into the mailbox. I'm running clamav-milter and find it s cool.. Ah...im running qmail so there is no milter. All this milter talk is so foreign to me. I like my qmail w/qmail-scanner. Jim Then qmail-scanner fits whatever nicely :) B. --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users