Greetings; Currently it spits out a one line message to the logfile when it has found something, and when procmail see's the NZ return, the incoming mail is placed in a holding file. But it contains zero information that would give a clue as to where the infected mail came from.
To do that, I have to periodically mv /var/spool/mail/virii to /var/spool/mail/me, let my MUA import it as a normal mail, then wait for the daily clamdscan of my home directory, at which point I get a paragraph or 2 of location/nix-epoch-dated+some hash number listed as infected with such-and-such. And still no clue as to who sent me the crap. Well, it turns out that the last time I did that, yesterday morning, I had 8 examples of the same phishing scheme. 3 from my bank, 4 from aarp, and 1 from a supplier I had bought something from online. And all of them at least 3 weeks old. 2 of them were time sensitive messages regarding the issuance of a new, chipped debit card, which when it arrived, resulted in my being completely unaware it was coming. Now, I can put a tail on /var/log/clamav/clamav.log and at least get a notice (if I read the log, but its content is 99% noise and I have to check it every 3 minutes or it may scroll off screen, never to be seen again without grepping for 'FOUND'. So this is a feature request: When clamdscan is used to filter an incoming email, it will find the From: or Reply To: lines, possibly before it finds a reason to cause that mail to be dumped. So, how much trouble would it be to clear a buffer for each of those 2 header lines, with a Reply-To: taking precedence, and if something is found, output the last From: or Reply-to: information at the same time it logs the FOUND msg? That would at least connect the dots as to who sent it without having to go thru a lengthy search of near meaningless filenames in the 26 gigabyte corpus of my now 15 year collection of emails, reading each of the matching numbers with mc's F3 function to actually find out who sent it. I can probably write a script that would sound the alarm over the audio when FOUND is grepped for, but that still doesn't "connect the dots". Any chance of that happening? Or am I missing an option in the command that would cause it to do it now? The man pages aren't very promising in that regard. ClamAV 0.98.7/21359/Fri Feb 12 08:36:44 2016 in use on debian wheezy. Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene> _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
