Charles Mount wrote: > Gauntlet, like most commercial virus protection software does not offer the > option of discarding virus infected messages; the only option is cleaning. > Changing firewall software or routing of mail are not options. > When Gauntlet detects a virus infected attachment, it replaces the > attachment with a message stating that the virus has been cleaned. It > retains the name of the original attachment appending a ".htm" to it as in > patch.exe.htm in the example below.
Does Gautlet stick in any headers you can filter on? Does it make any changes other than cleaning the virus and changing the attachment? If so, you should be able to filter on those elements direct from MIMEDefang, instead of having to call SA. > X-NAI-Gauntlet-mimepp: Attachment removed This looks promising... > ACTUAL ATTACHMENT: > <html><head><meta HTTP-EQUIV="Content-Type" content="text/html; charset="> > <title>VIRUS INFECTION ALERT</title></head> > <body> > <h1><font color="#FF0000">VIRUS INFECTION ALERT</font></h1> > <p>The Gauntlet Firewall® discovered a virus in this file. > The file was not repaired and has therefore been removed. > See your system administrator for further information. > </p> > <p>Filename: patch.exe<br> > Virus name: W32/[EMAIL PROTECTED]</p> And so does this. Scan back through the MIMEDefang list archives; there have been a number of questions about how to examine a particular header, or manually scanning the message body. http://lists.roaringpenguin.com/pipermail/mimedefang/ > Most users cannot recognize the subtle differences between a virus infected > message and a cleaned message. This leads to a lot of calls from users > thinking they have a virus. > I have tried to add rules to make SpamAssassin discard these messages. > Below are header, an actual attachment and a couple of rules I have tried. > PLEASE HELP with suggestions of rules that can be used to block these > messages. If direct MIMEDefang checks still fail, you might try: body __GAUNTLET_01 /VIRUS INFECTION ALERT/ body __GAUNTLET_02 /The Gauntlet Firewall/ body __GAUNTLET_03 /discovered a virus in this file/ meta GAUNTLET_AV __GAUNTLET_01 && __GAUNTLET_02 && __GAUNTLET_03 describe GAUNTLET_AV Body contains phrases from Gauntlet AV appliance score GAUNTLET_AV 10 Note that the test names use all upper-case letters; I'm not certain if this is REQUIRED, but it *is* RECOMMENDED (in the RFC sense). Put these in /etc/mail/spamassassin/sa-mimedefang.cf, and reload or restart MIMEDefang. If you've got a copy of one of the original cleaned messages, you might try running spamassassin < [message file] on the MD box to make sure it's triggering. I'm not aware of any way to check for the existence or contents of any arbitrary header; that would certainly be cleaner than doing body checks. :/ -kgd -- <erno> hm. I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
