So if I am going to trigger on one address (i.e. [EMAIL PROTECTED]) my syntax 
will be:

sigtool --hex-dump [EMAIL PROTECTED] > mycustomsignature.db


Correct?




-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of jef moskot
Sent: Tuesday, February 19, 2008 12:41 PM
To: ClamAV users ML
Subject: Re: [Clamav-users] quarantine on specific from address

On Tue, 19 Feb 2008, Gomes, Rich wrote:
> I have a specific need to quarantine emails coming from a particular 
> email address.

A quick hack would be to make a signature that includes the address, and some 
other identifying information from a mail header.

Everything you need to know is here, although not documented as nicely as it 
could be:  http://www.clamav.org/doc/latest/signatures.pdf

Basically, you use "sigtool --hex-dump" to create hex signature of some text 
(in this case, the email address in question), and put that into a regular text 
file ending with the extension .db in your signature directory.  (Make sure you 
chop off the 0a byte at the end.)

The file format is very simple.  Example:
temp.email.signature=62696c6c7940626f622e636f6d

(Whatever you want to call the signature on the left, an = sign, and then the 
hex sig on the right.)

If you're going to leave it on for any length of time, you're should be at 
least slightly clever and not only have the address listed, but also some 
header info, to make sure you don't intercept messages TO that address or 
messages that simply contain that address.

Info about wildcards is in the docs, if you need it.

Make sure you reload the databases once you make the change, if you're using 
the clam daemon.

Good luck.

Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net 
http://lurker.clamav.net/list/clamav-users.html
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Reply via email to