clamav-users February 2008 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [Clamav-users] quarantine on specific from add

Re: [Clamav-users] quarantine on specific from address

From: jef moskot <jef_at_nospam>
Date: Tue Feb 19 2008 - 17:40:56 GMT
To: ClamAV users ML <clamav-users@lists.clamav.net>


On Tue, 19 Feb 2008, Gomes, Rich wrote:
> I have a specific need to quarantine emails coming from a particular
> email address.

A quick hack would be to make a signature that includes the address, and some other identifying information from a mail header.

Everything you need to know is here, although not documented as nicely as it could be: http://www.clamav.org/doc/latest/signatures.pdf

Basically, you use "sigtool --hex-dump" to create hex signature of some text (in this case, the email address in question), and put that into a regular text file ending with the extension .db in your signature directory. (Make sure you chop off the 0a byte at the end.)

The file format is very simple. Example: temp.email.signature=62696c6c7940626f622e636f6d

(Whatever you want to call the signature on the left, an = sign, and then the hex sig on the right.)

If you're going to leave it on for any length of time, you're should be at least slightly clever and not only have the address listed, but also some header info, to make sure you don't intercept messages TO that address or messages that simply contain that address.

Info about wildcards is in the docs, if you need it.

Make sure you reload the databases once you make the change, if you're using the clam daemon.

Good luck.

Jeffrey Moskot
System Administrator
jef@math.miami.edu


Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html

   © Copyright 2012 Guardian Digital, Inc. All Rights Reserved.