On 8/5/2010 2:35 PM, Matthew Kitchin (public/usenet) wrote:
I asked this on the Spamassassin list, and was advised I would
have better luck with ClamAV. I do have ClamAV running in
several setups, but have never done anything exactly like this.
My typical setup would be Postfix -> Amavisd -> ClamAV.
I work for a healthcare company. I have been asked to
implement something to block all outbound emails that contain
patient names. We have roughly 35,000 names. I need to look
for them in the format "John Smith" and "Smith, John". These
would be for outbound emails only. I would like to bounce them
back to the internal sender with a custom message (I can
handle that in Amavisd). I realize this would be a totally
oddball setup, so I have no problem dedicating 1 or 2 servers
to it.
We would script an export of patient names from our Patient DB
every night.
So, I basically need to know if it would be practical to build
a ClamAV DB file with 70,000+ names to be used to search an
email for a match?
If all this is practical, would it be possible to allow for a
text string in the email to flag it so it would be allowed to
have one of the forbidden names in the email? I figured this
may be an Amavisd question, but I don't see an option for
anything like that there. I figured I would try here. We would
want users to be able to put a code such as (override) in the
subject to bypass this restriction.
I'm not saying this is the most brilliant idea in the world.
It is just what I have been asked to do.
Any tips would be greatly appreciated.
Thanks,
Matthew
Creating "banned word" signatures is pretty straightforward.
Convert the names to hex, add the clamav stuff and save it in
a foo.ndb file in the clamav directory. A sig for "John Doe"
would look something like (completely untested):
Client.Data.John.Doe:0:*:4a6f686e20446f65
You would need a separate sig for "Doe, John", but clam
matches are very fast. There is unlikely to be much
difference in scanning speed with 70,000 vs. 140,000 body sigs.
See section 3.3 Body-based signatures
http://www.clamav.net/doc/latest/signatures.pdf
Test your signatures with something like
clamscan --database=/path/to/foo.ndb testfile
I don't know of any "secret code" bypass mechanism in either
amavisd-new or clamav. Such a feature would give the security
folks nightmares. It is possible to whitelist a specific
recipient.
But it would be easy enough to bypass by changing the cASE of
the name or using J. Doe etc. (you might be able to use
wildcards to ignore case in the sig)
But just because this might partially work doesn't mean it's a
good idea. The main problem I see is that it gives a false
sense of security because there are too many ways to
intentionally or accidentally bypass it. This isn't something
to bet the farm on working 100%, because it can't.
-- Noel Jones
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
