Hello again, On Fri, 28 Jul 2017, Beeblebrox wrote:
> ... I think you'd need some complexity just for example to be able to > use third-party databases... GW - Not sure I'm not fully grasping this point. I thought I could install the 3rd part tools and keep them up to date with cron jobs?
Er, that's what I said. :) The trouble is things change. Third- parties change things, things break, false positives happen, ... The more stuff you put in there, the more trouble you'll have with it and the less you'll be able to forget about it. It's that simple.
I was thinking "somehow" to move the email to a quarantine folder and then sending an advisory to the user "message from joe has been quarantined, please take following steps". ...
How much experience do you have of getting average email users to follow a few (simple, written) steps? :/
Perhaps even some process to strip all attachments, convert message to text-only (risky?) and send the text-only content along with the advisory.
Take a look at MIMEDefang, it can do all that. It does occasionally pull one out of the hat here, but most of the time it gets no chance to do anything because the dodgy messages were rejected much earlier in the milter chain. And again, I only use it on mail servers. It's largely written in Perl, so you can do practically anything with it, and you'd need to do some customization for your gateway application. I'm not necessarily recommending that you use it, just saying that the particular wheel has already been invented (more than once, in fact), and if you haven't seen it you could probably learn a lot from it. Oh, and it can call all manner of virus scanners too.
I wonder if there's an MTA that stores hashed credentials ...
I think you're in a hole, and that you should stop digging, step back from it and take a good long look - at the problems, not at solutions. I have to come back to a point I made earlier, that you need to have a very good reason to shoe-horn ClamAV into your situation. You need to know that using ClamAV will provide a net gain. So far I feel that it will cause you much toil, and some grief, for precious little reward. Do you have any statistics, e.g. numbers of messages, numbers of those which were malicious, etc., for the body of mail that you'd have been scanning if this had all been installed, say, a couple of years ago? Do you have samples of such malicious messages? Have you run them by (for example) Jotti's Malware Scan? It might be instructive to do so. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
