[AMaViS-user] Disable Virus scanning for specific senders
Markus Gaugusch
I'm using amavisd-new 20030616p9 with postfix 2.0.19_20040312 (SuSE 9.1).
Recently, I have received a mail from bugtraq that has been caught by
amavis/clamd as a "virus". I want to fix that and make those mails go
through without scanning.
I don't care wether I have to set the bugtraq IP address on a whitelist or
the sender email address (I haven't yet seen any virus that fakes the
bugtraq mail from). Virus scanning is mostly an annoyance eliminator for
me, I'm not afraid of them and I don't use dangerous mail programs.
Therefore, I don't mind if a virus goes through if I only filter for mail
from.
The amavis docs say, that the sender white lists are not used for virus
scanning - bummer :(
I looked at "bypass_virus_checks", but it seems to be responsible for the
recipient only. I also couldn't find out which syntax to use (I
don't know perl and its thousand operators).
Mailing list archives also didn't help me with my problem.
Help is appreciated a lot :)
Markus
--
__________________ /"\
Markus Gaugusch \ / ASCII Ribbon Campaign
markus(at)gaugusch.at X Against HTML Mail
/ \
-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
AMaViS-user mailing list
AMaVi...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Daniel Luttermann
> I'm using amavisd-new 20030616p9 with postfix 2.0.19_20040312 (SuSE 9.1).
> Recently, I have received a mail from bugtraq that has been caught by=20
> amavis/clamd as a "virus". I want to fix that and make those mails go=20
> through without scanning.
>=20
> I don't care wether I have to set the bugtraq IP address on a whitelist o=
r=20
> the sender email address (I haven't yet seen any virus that fakes the=20
> bugtraq mail from). Virus scanning is mostly an annoyance eliminator for=
=20
> me, I'm not afraid of them and I don't use dangerous mail programs.=20
> Therefore, I don't mind if a virus goes through if I only filter for mail=
=20
> from.
>=20
> The amavis docs say, that the sender white lists are not used for virus=
=20
> scanning - bummer :(
>
> I looked at "bypass_virus_checks", but it seems to be responsible for the=
=20
> recipient only. I also couldn't find out which syntax to use (I=20
> don't know perl and its thousand operators).
> Mailing list archives also didn't help me with my problem.
It's not possible to specify a "virus whitelist" based on the sender
address. With spam it is possible to specify a sender whitelist but
not with viruses.
From=20amavisd.conf:
# @bypass_virus_checks_maps list of lookup tables:
# (this is mainly a time-saving option, unlike virus_lovers* !)
#
# Similar in concept to @virus_lovers_maps, a @bypass_virus_checks_maps
# is used to skip entirely the decoding, unpacking and virus checking,
# but only if ALL recipients match the lookup.
#
# @bypass_virus_checks_maps does NOT GUARANTEE the message will NOT be chec=
ked
# for viruses - this may still happen when there is more than one recipient
# for a message and not all of them match these lookup tables, or when
# check result was cached (i.e. the same contents was recently sent to other
# recipients). To guarantee virus delivery, a recipient must also match
# @virus_lovers_maps lookups (but see milter limitations above),
# NOTE: it would not be clever to base enabling of virus checks on SENDER
# address, since there are no guarantees that it is genuine. Many viruses
# and spam messages fake sender address. To achieve selective filtering
# based on the source of the mail (e.g. IP address, MTA port number, ...),
# use mechanisms provided by MTA if available, possibly combined with policy
# banks feature.
--=20
Best Regards
Daniel Luttermann
mailto:daniel.l...@t-online.de
Markus Gaugusch
> Hi Markus,
>
> > I'm using amavisd-new 20030616p9 with postfix 2.0.19_20040312 (SuSE 9.1).
> > Recently, I have received a mail from bugtraq that has been caught by
> > amavis/clamd as a "virus". I want to fix that and make those mails go
> > through without scanning.
> >
> It's not possible to specify a "virus whitelist" based on the sender
> address. With spam it is possible to specify a sender whitelist but
> not with viruses.
So, there is NO POSSIBILITY AT ALL?
I can't believe that.
Maybe postfix can be told to ignore the content filter for specific ip's?
Markus
--
__________________ /"\
Markus Gaugusch \ / ASCII Ribbon Campaign
markus(at)gaugusch.at X Against HTML Mail
/ \
Daniel Luttermann
the list:
>> Hi Markus,
>>
>> > I'm using amavisd-new 20030616p9 with postfix 2.0.19_20040312 (SuSE 9.1).
>> > Recently, I have received a mail from bugtraq that has been caught by
>> > amavis/clamd as a "virus". I want to fix that and make those mails go
>> > through without scanning.
>> >
>> > I don't care wether I have to set the bugtraq IP address on a whitelist or
>> > the sender email address (I haven't yet seen any virus that fakes the
>> > bugtraq mail from). Virus scanning is mostly an annoyance eliminator for
>> > me, I'm not afraid of them and I don't use dangerous mail programs.
>> > Therefore, I don't mind if a virus goes through if I only filter for mail
>> > from.
> so... set up a +alias and subscribe to bugtraq with that, then skip
> filtering on that recipient.
Some setups are possible but amavisd has not the possibility to
whitelist "virus senders" like it can be done with "spam senders".
You can setup an alias as described above or use the virus_lover
settings. But these setting work on the recipient not the sender.
You can also define the recipients in the @virus_lovers_maps or
@bypass_virus_checks_maps.
@bypass_virus_checks_maps is used to skip entirely the decoding,
unpacking and virus checking, but only if ALL recipients match the
lookup. As an example you can use this setting:
@bypass_virus_checks_maps = ( [qw( us...@example.com )] );
This will disable virus checking for the user us...@example.com.
--
Best Regards
Daniel Luttermann
mailto:daniel.l...@t-online.de
-------------------------------------------------------
Gary Buckmaster
be to create a specific account for your bugtraq subscription and
whitelist for that recipient account.
>
> So, there is NO POSSIBILITY AT ALL?
> I can't believe that.
> Maybe postfix can be told to ignore the content filter for specific ip's?
>
> Markus
Markus Gaugusch
> There's good reason for this being hard. Perhaps a work-around would
> be to create a specific account for your bugtraq subscription and
> whitelist for that recipient account.
I think that this is ridiculous. Why should one make whitelisting for
spam, but not for viruses? I've subscribed to bugtraq with a different
address now, but I think that this can't be a general solution. I have an
account that's completely unprotected now, instead of having a small
whitelist entry.
Unfortunately, I don't speak perl and can't fix it by myself.
Markus
--
__________________ /"\
Markus Gaugusch \ / ASCII Ribbon Campaign
markus(at)gaugusch.at X Against HTML Mail
/ \
Clifton Royston
> On Jan 4, Gary Buckmaster <inheren...@gmail.com> wrote:
>
> > There's good reason for this being hard. Perhaps a work-around would
> > be to create a specific account for your bugtraq subscription and
> > whitelist for that recipient account.
>
> I think that this is ridiculous. Why should one make whitelisting for
> spam, but not for viruses?
Because viruses *usually* forge their senders, and any virus can
forge that it came from bugtraq; and it is not unlikely, if Bugtraq is
also in one of your correspondents' address books.
The independent whitelist system that I independently implemented in
our Scora antispam/AV product has the same property of not whitelisting
viruses, for the same reasons. Indeed, I hadn't looked closely at how
amavisd does whitelisting when I designed and coded it.
(And I recently got what I suspect to be the same two messages sent
to *my* quarantine from my bugtraq subscriptions; it was the Java
Trojan loader discussion, right? Fortunately it's easy for me to
release it from the quarantine.)
> I've subscribed to bugtraq with a different
> address now, but I think that this can't be a general solution. I have an
> account that's completely unprotected now, instead of having a small
> whitelist entry.
Yours - and mine - is a relatively rare case, where a specific
recipient wants to receive viruses (including *actual* viruses) only
from a specific sender address. It would be difficult to implement
this generally in a way that didn't indirectly lead to many more naive
users blindly whitelisting addresses in a way that caused their
computers to become infected with viruses.
Yes, it's a mildly patronizing attitude by the software author, but
as someone who made the same design decision independently, I would
defend it as the correct one for 99+% of amavisd users, even though it
was somewhat wrong for me in this case.
I'd be personally interested to hear suggestions for an appropriate
way that the feature could/should work without opening the door to too
many problems.
-- Clifton
--
Clifton Royston -- clif...@tikitechnologies.com
Tiki Technologies Lead Programmer/Software Architect
Did you ever fly a kite in bed? Did you ever walk with ten cats on your head?
Did you ever milk this kind of cow? Well we can do it. We know how.
If you never did, you should. These things are fun, and fun is good.
-- Dr. Seuss
Gary Buckmaster
provides border spam/virus filtering to its clients. In such a case,
there might be a client who is "convinced" that the filtering is the
reason why some particular piece of email isn't reaching their inbox
and they demand that their particular server/IP/domain/subnet stop
being filtered.
Unfortunately, such a scenario isn't that outlandish. In fact, I was
confronted with that _EXACT_ scenario yesterday afternoon. In the
case of a border filter, implimenting an effective two-way whitelist
is pretty challenging. Yes, it would be nice to have, but no, it
won't keep the customer from shooting themselves repeatedly in the
foot.
> I'd be personally interested to hear suggestions for an appropriate
> way that the feature could/should work without opening the door to too
> many problems.
>
> -- Clifton
>
Mark Martinec
> Recently, I have received a mail from bugtraq that has been caught by
> amavis/clamd as a "virus". I want to fix that and make those mails go
> through without scanning.
You are trying to solve the wrong problem. The proper solution is to
submit your false positive sample to ClamAV, so that the next time
it won't be mistaken for a virus. It would help others as well.
> I think that this is ridiculous. Why should one make whitelisting for
> spam, but not for viruses?
Because spam is mostly harmless and a few false negatives don't matter much,
but viruses are usually not.
> I've subscribed to bugtraq with a different
> address now, but I think that this can't be a general solution.
That is a sensible solution.
> I have an account that's completely unprotected now, instead of
> having a small whitelist entry.
The following patch against amavisd-new-2.2.1 can do what you want
(you may need to adjust the sender address(es)):
--- amavisd~ Thu Dec 23 02:38:39 2004
+++ amavisd Wed Jan 5 02:55:04 2005
@@ -6433,5 +6433,11 @@
: D_PASS;
+ my($whitelisted_for_malware) = 0;
+ if ($final_destiny != D_PASS && lookup(0,$msginfo->sender,
+ [qw( bugtraq...@securityfocus.com listserv.ntbugtraq.com )] )) {
+ $whitelisted_for_malware = 1;
+ do_log(0, "malware accepted from sender ".$msginfo->sender);
+ }
for my $r (@{$msginfo->per_recip_data}) {
next if $r->recip_done; # already dealt with
- if ($final_destiny == D_PASS) {
+ if ($final_destiny == D_PASS || $whitelisted_for_malware) {
# recipient wants this message, malicious or not
Mark