[clamav-users] Clamav-milter finds postive, goes to hold queue
Joe Acquisto-j4
joea at j4computers.com
Wed Feb 24 13:26:41 UTC 2021
>> Citeren Joe Acquisto-j4 <joea at j4computers.com>:
>>
>>> Another question from the peanut gallery (a kids TV show reference from
>>> the 1950's. Which should tell you something) . . .
>>>
>>> With a local test email EICAR is detected and fed back to postfix.
>>> Ends up in hold queue as you would expect as
>>> per below as /var/log/mail says: (snipped)
>>>
>>> "postfix/cleanup[18137]: 686483954B: milter-hold: END-OF-MESSAGE
>>> from localhost[127.0.0.1]: milter triggers HOLD action; from="
>>>
>>> Probably this is a postifx thing, and I need to deal with that but,
>>> just for a sanity check (always a treat) is there something in
>>> /etc/clamav-milter.conf
>>> or elsewhere on the clamav side that can that behavior (while
>>> preserving the email for further disposition that is)?
>>>
>>> Just FYI at this point, wisp of idea is to process the hold queue
>>> (given the milter hold action will not change),
>>> alter the subject line per the "X-Virus-Status: Infected" text in
>>> the header and forward it on to the user,
>>> generally me.
>>
>> You probably want to lookup how to process messages from the HOLD
>> queue in Postfix.
>>
>
> Strikes me my first thought may be a poor choice.
>
> Wondering now what people generally do with infected mail? That is, is
> there a
> general consensus?
>
> Would it be "safe" (for the systems) to simply send the mail through, to the
> end
> use and merely tag the subject line with "Virus Detected" as SPAM messages
> are done? Send them to a quarantine mailbox for human review? Notify an
> administrator there is email being "held"?
>
> joe a.
>
>
I tend to agree with the "NO" votes. But, in the postfix "FILTER_README"
the author(s) suggest it is not a great idea, these days, to send the email
back to the sender, as the sender is very likely to be "spoofed". I guess there
are different ways of looking at that particular avenue.
For now I will settle on a cron job script that peeks at the hold queue every so often and
alerts someone (me) with an alert. I would have thought there was some mechanism
already built in to the milter, or postfix, to do that, optionally) but I've not stumbled on
one thus far.
More information about the clamav-users
mailing list