|Main Archive Page > Month Archives > clamav-users archives|
On Tue, 19 Feb 2008, Gomes, Rich wrote:
> I have a specific need to quarantine emails coming from a particular
> email address.
A quick hack would be to make a signature that includes the address, and some other identifying information from a mail header.
Everything you need to know is here, although not documented as nicely as it could be: http://www.clamav.org/doc/latest/signatures.pdf
Basically, you use "sigtool --hex-dump" to create hex signature of some text (in this case, the email address in question), and put that into a regular text file ending with the extension .db in your signature directory. (Make sure you chop off the 0a byte at the end.)
The file format is very simple. Example: temp.email.signature=62696c6c7940626f622e636f6d
(Whatever you want to call the signature on the left, an = sign, and then the hex sig on the right.)
If you're going to leave it on for any length of time, you're should be at least slightly clever and not only have the address listed, but also some header info, to make sure you don't intercept messages TO that address or messages that simply contain that address.
Info about wildcards is in the docs, if you need it.
Make sure you reload the databases once you make the change, if you're using the clam daemon.