Simscan/Guide

From Qmailwiki
Revision as of 12:03, 2 February 2005 by 68.78.194.78 (Talk)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Introduction

simscan was written for people who need a fast and efficent way to do virus scanning or spamassassin processing or attachment blocking


If you need more features than this you should consider using qmail-scanner. It is a perl program with many excellent features. However it places a higher load on the system. This is mostly due to using perl. The system has to envoke the perl process which is fairly large. simscan is less than 100K and uses the standard system libraries so it loads and runs much faster.

ClamAntiVirus Processing

ClamAV processing is one of the simplist parts of simscan. The simscan configure script defaults to doing just clamav processing. If you are testing simscan for the first time you might want to start with just clamav processing. In the source code directory run just: ./configure ; make ; make install-strip. That should be enough to just enable clamav processing.

It is probably worth while to understand the steps simscan will go through at this point. After qmail-smtpd receives the email and starts handing it to simscan, the following will happen.

  1. A temporary working directory is created and simscan changes it's working directory there.
  2. The envelope (to and from addresses) are written to a file
  3. The email is written to another file

Under default settings simscan then calls ripmime to break up mime encoded parts of the email. This step might not be needed but you should check your clamav settings. Clamav can scan email messages. Check your clamav.conf (pre 0.80 version) or your clamd.conf file. Look for the following section:

# Enable internal e-mail scanner.
# Default: enabled
#ScanMail

This is from a 0.80 installation. As you can see, email scanning is enabled by default. If you have disabled email scanning you will need ripmime processing. However, if email scanning is enabled, you can save alittle processing time by telling simscan to NOT run ripmime. Reconfigure your simscan with the --disable-ripmime option. Go back into your simscan source directory and run these commands:

  1. make distclean
  2. ./configure --disable-ripmime
  3. make
  4. make install-strip

If everything goes well, you will now have disabled ripmime processing and saved yourself some system load.

In any case, after the email files are written and ripmime is called or not called, simscan forks a copy of clamdscan. Using pipes, simscan will read clamdscan's output. clamdscan will run, passing the file information to your clamd daemon. Make sure your clamd process is running. clamd will scan the files in the temporary working directory and report back to clamdscan. clamdscan will then report the results which simscan reads. simscan parses the results and looks for reports of a virus.

If a virus is found then simscan removes the temporary working directory and all the files and reports a permenent failure back to qmail-smtpd. qmail-smtpd will then report the pemement error back to the sender and clean up all of the data that came in for that email. The result is the data with the virus is removed from the machine before it can cause any problems.

Optional smtp reject message

If you patch your qmail source with the smtp reject message patch from the simscan/contrib directory, and you re-configure simscan with the --enable-custom-smtp-reject option then the smtp reject message returned by qmail-smtpd will contain the name of the virus that was found.

How does this work? If simscan detects a virus it exits with a special error number: 82. simscan will also write a special reject message to file descriptor 4. If qmail-smtpd receives that return code then it will attempt to read the reject message from file descriptor 4 and report that message back to the sender. This is a pretty nifty feature. What I like about it is, if the email is being sent by a real user, as opposed to a zombie pc sending out viruses, then the real user should receive back a bounce message telling them which virus they have on their machine. I know I would like to know if my machine had a virus that was going out in my email. But then again I do not use Microsoft products..

SpamAssassin Processing

SpamAssassin section

There are four ways to use spamassassin with simscan.

Do not run spamassassin

The simplist way to use spamassassin and simscan is not to use it at all. Some sites prefer to have spamassassin run on local email delivery. vpopmail has an --enable-spamassassin option that tells vdelivermail, the local vpopmail delivery agent, to send the email through spamassassin with vpopmail user options so individual users can set their own perferences. maildrop can do this as well (I think).

By having your local delivery agent run spamc you avoid the multiple reciepient problem.

Multiple Recipient Problem with Per User simscan option

You can enable the use of spamassassin's per user option with this option:

 --enable-spamc-user

If there is a single recipient in the email then simscan adds the -u user@domain option to spamc. This tells spamassassin to look up the users preferences to over ride the system wide spamassassin preferences.

But if there is more than one recipient then which user perference should simscan set? The solution simscan uses is if there is more than one recipient and the --enable-spamc-user option is set, then it skips adding the -u user@domain option to spamc.

This problem is avoided by having your local delivery agent do the spamassassin processing.

Scan and pass through to users

You can also set simscan to pass the email through spamassassin and send the result on to qmail. This is done with two options:

 --enable-spam
 --enable-spam-passthru

Do not use this option:

 --enable-spam-hits

Reject anything marked as spam

Another option is to have simscan reject email (smtp failure 500 response) when spamassassin detects anything marked as spam. Use this option

 --enable-spam

and do not use these options

 --enable-spam-hits
 --enable-spam-passthru

With this setup, any email designated as spam with the X-Spam flag set to Yes, will be rejected at the smtp level.

Reject really bad spam and pass through anything else

Perhaps the most popular method is a mix of the others. Which is to reject email that scores very high and to pass through other email to the user even if it is marked as spam. This seems to help with the "false positive" issue; email marked as spam but not really spam. Use these options:

 --enable-spam
 --enable-spam-hits=number
   where number is the spamassassin score at which you want to reject the email

Do not use this option:

 --enable-spam-passthru

Attachment Processing

To enable attachment processing in simscan use the following configure option

 --enable-attach

Place your list of attachments in the /var/qmail/control/ssattach file. The list should look something like this:

.jpg
.gif
.exe

Each time an email comes in and simscan is started by qmail-smtpd, this file is read into an arrary. After simscan calls ripmime to break the email MIME parts into separate files, simscan then checks the list of attachments against the list of file names in the email.

In order to make file names and attachment names case insensitive, simscan forces everything to lower case. Then it does a reverse string comparision for each file name against each attachment name. If there is a match then the email is rejected and control passes back up to qmail-smtpd for the final email rejection.

Simscan will then report to the smtp log a message similar to:

 simscan: IP-of-sender pid pid-of-simscan: invalid attachment: FileName from: FromAddress to: ToAddress

If custom rejection messages are enabled then qmail-smtpd will report a failure message similar to:

 Your email was rejected because it contains a bad attachment: FileName

Per domain processing

The per domain processing feature allows you to fine-tune scanning parameters on a per domain or per account (email address) base.

Enable this using --enable-per-domain when compiling simscan.

Drop Message option

Some sites have security policies in place which require them to accept every email. For these sites there is an option to do all the normal simscan processing, but if a virus or spam is detected the message is not handed to qmail-queue for local delivery. Instead it is silently dropped.

Use this option when configuring simscan

 --enable-drop-msg

Custom Reject Option

 --enable-custom-reject

This option has to be used with the custom reject message patch to qmail-smtpd. The patch is available in the simscan tar ball contrib directory.


..

Personal tools