?
Solved

ClamAV - Parsing An IMAP Store

Posted on 2012-09-06
11
Medium Priority
?
595 Views
Last Modified: 2012-09-13
Currently my mail-server accepts email for our end-users, pipes it through PROCMAIL and ClamAV.  

It's an IMAP server - thus the end-result for each IMAP-folder (inbox)  is just a huge ascii file.

ClamAV handles the incoming messages just fine - then/when PROCMail puts the infected email into a quarantined folder once ClamAV appends a new header.

Though, an end-user can copy an email BACK into their IMAP folder (messages) which could contain a virus or trojan by cutting/pasting onto their email files using their client. Thus, it's not parsed back through the PROCMail script and not parsed through ClamAV.

Is there a way to pipe an entire IMAP email store (the message(s) ALL of them) back through to ClamAV  - and have it display which email contain(ed) a trojan or virus?

Hope that makes sense.
0
Comment
Question by:BillFinkNC
  • 5
  • 3
9 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 38375742
I don't use pro mail so I can't say if there are other data structures associated with each inbox. But to do what you want you will need a tolol that opens each users INBOX, breaks the store into messages, and sends that message through clamav. Care would have to be taken to ensure that the user's mail store is locked while scanning.

What makes more sense to me is to impose the virus scanner between sendmail and the world. That way messages in or out bound are scanned. In a sense it doesn't if a user with a virus infected computer pushes a message back to the server that has been infected as long as that message goes no further.
0
 

Author Comment

by:BillFinkNC
ID: 38376282
It's the tool that you mention that I'm looking for.

Grab the inbox, parse each message sending it back through ClamAV, and having it display which particular message contain(ed) the virus. ClamAV scans the ENTIRE file, though.

As far as where the AV parses the email inbound, it's working like a charm. Hence, the use of  a Procmail recipe. - Scans it incoming, puts the email aside (in my case I just have it deleted/dev-null when it detects a trojan or a virus) and the user never knows.

It's the end-user that copies emails from a different source and puts an infected email back on top of their mailboxes using their email clietn software that I have no control over.

Each night, I DO scan their entire message folders, but due to IMAP just having one great big ASCII file, does ClamAV report there's a virus ... back to square one.

I hope all this makes sense. - as in your post, it's the "tool" that you're referring to that I'm looking for. Any help???
0
 
LVL 41

Accepted Solution

by:
noci earned 2000 total points
ID: 38376362
Your question makes sense but...

the mail chain is as follows:

MUA -{smtp}->  MTA -{smtp}-> MTA .... MTA -{smtp/lmtp}-> MDA -{smtp/lmtp/pipe}-> Store <-{pop/imap}-> MUA.

MUA = mail user agent [ Outlook,
MTA = mail transfer agent [ Exim, Postfix, Qmail, Courier, Sendmail ]
MDA = mail delivery agent [ Procmail,  almost every MTA is also capable as MDA. ]
Store = [ some kind of storage, mailfile [ exim, postfix, sendmail ] like you have, maildir [ qmail, courier, exim, postfix ] or some database [ cyrus ].

This also shows why mail is not handled by the MDA again, it passes there only once.
all other transactions are between the MUA & the Store.

In the case of maildir's all mails are in individial files, and can be scanned as such. In all other cases you need tooling to retrieve all mails from a mail folder & then scan it.

So maybe you realy want to look into maildir storage solutions. The mails can then be parsed on the mailstore  host.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:BillFinkNC
ID: 38376752
Picture this, a user has two mail-accounts, one personal one work, and is using Outlook as their email client.

They copy one email from their "personal" account (that's not controlled by or scanned by their work-server) by cutting/pasting a copy of an email from that account on-top (inside) of their "work email" folder.

Each/every one of their "folders as displayed in Outlook" are really just ONE great big huge ASCII file, each individual email is merely parsed by the IMAP server, separated by the "From" information in the header(s).

Relying on them to scan their "personal" email is a never ending battle, eh!??!

I need something that I can execute on our Unix host (FreeBSD) to help with. Sorry for any further confusion, I know I simply need to parse their IMAP files with the ability to distinguish each email, and then remove the offending email putting BACK the rest of their emails.

Storage, processing, access is not an issue.
0
 
LVL 41

Assisted Solution

by:noci
noci earned 2000 total points
ID: 38378052
If you use a MailDir based mail solution the user won't notice the difference [ they just see IMAP ], on the server you can run clamav jobs that scan all MailFolders regularly.

There are no IMAP files, IMAP is a network protocol.
So i suggest you look into courier-imap, or dovecot used in maildir mode.
http://www.courier-mta.org/  with maildir's each MAIL-Message has it's own separate file.
0
 

Author Comment

by:BillFinkNC
ID: 38378367
I've requested that this question be deleted for the following reason:

DELETE
0
 
LVL 41

Expert Comment

by:noci
ID: 38378276
imho you get a decent answer, delete is not the way to react to that.
If you have problems with specific parts of an answer please ask on about those details.
0
 
LVL 41

Expert Comment

by:noci
ID: 38378368
see last comment.
0
 
LVL 41

Expert Comment

by:noci
ID: 38378906
The question shows that asker has no idea about the mail flow.., so that's explained.
and why mail is not rescanned when it is moved around folders.
Also an advise is given how to most effectively approach the scanning issue if that is still the perceived route. (Maildir storage allows for easy management of messages as files)

IMO, all my answers up to the DELETE seem relevant.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
Introduction Regular patching is part of a system administrator's tasks. However, many patches require that the system be in single-user mode before they can be installed. A cluster patch in particular can take quite a while to apply if the machine…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses
Course of the Month16 days, 22 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question