论坛: UNIX系统 标题: postfix邮件病毒过滤【原创】 复制本贴地址    
作者: cimsxiyang [cimsxiyang]    版主   登录
postfix 邮件 病毒过滤

综述:
世面上关于邮件病毒的软件很多,其中以perl的居多。我之所以选择amavis和clamav是因为这些都是c写,首先在性能上就具备了优势。同时,amavis具有很好的扩展性。可以把他理解为一个扫描框架,clamav是一个扫描引擎。当然,也可以使用其他扫描引擎。:)

软件准备:
amavis-0.3.12.tar.gz
unarj-2.65-3.9.i386.rpm
zoo-2.10-11.9.i386.rpm
unrar-3.2.3-2.9.i386.rpm
clamav-0.65.tar.gz
arc-5.21e-6.i386.rpm

软件安装:
--------install clamav---------
代码:

#tar zvxf  clamav-0.65.tar.gz
#cd clamav-0.65
# groupadd clamav 
#useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav
#./configure 
#make && make install
#vi /usr/local/etc/clamav.conf

LogFile /var/log/clamd.log
LogFileMaxSize 2M
LogVerbose
LogTime
PidFile /var/run/clamd.pid
DataDirectory /usr/local/share/clamav
LocalSocket /tmp/clamd
MaxDirectoryRecursion 15
User clamav
ScanArchive
ArchiveMaxFileSize 10M
ArchiveMaxRecursion 5
ArchiveMaxFiles 1000

代码:

#clamd
# ps -aux | grep clamd
clamav    9896  0.0  0.7 26448 7220 ?        S    04:27   0:00 /usr/local/sbin/clamd
root     22660  0.0  0.0  3548  616 pts/1    R    19:30   0:00 grep clamd
# echo /usr/local/sbin/clamd >> /etc/rc.d/rc.local
#clamscan -r test /*测试杀毒*/
#touch /var/log/clam-update.log 
#chmod 644 /var/log/clam-update.log 
#chown clamav /var/log/clam-update.log 
# freshclam -d -c 2 -l /var/log/clam-update.log /*升级病毒库*/
#touch /etc/cron.daily/freshclam

代码:

#vi /etc/cron.daily/freshclam

#!/bin/bash
freshclam --quiet -d -c 2 -l  /var/log/clam-update.log
代码:

#chmod a+xr /etc/cron.daily/freshclam


--------------------Install amavisd------------------
代码:

#rpm -ivh unarj-2.65-3.9.i386.rpm
#rpm -ivh zoo-2.10-11.9.i386.rpm
#rpm -ivh unrar-3.2.3-2.9.i386.rpm
#rpm -ivh arc-5.21e-6.i386.rpm
#tar zvxf amavis-0.3.12.tar.gz
#cd amavis-0.3.12
#groupadd amavis
#useradd amavis -g amavis -s /bin/nologin
#./configure --enable-postfix
#make && make install
#vi /etc/amavisd.conf


  $mailfrom_notify_admin ='xiyang@yovole.com'
  $mailfrom_notify_recip = 'xiyang@yovole.com';
  $mailfrom_notify_spamadmin = 'xiyang@yovole.com';
  $virus_admin = 'xiyang@yovole.com';
  $spam_admin = 'xiyang@yovole.com';
  $final_virus_destiny = 0;
  $final_spam_destiny = -1;
  $sa_tag_level_deflt = 4;
  $sa_kill_level_deflt = 6.9;


------------------edit the postfix config files-------------

* add to /etc/postfix/main.cf:

    content_filter = vscan:
    soft_bounce = yes
    # For testing purposes it might make sense to use this

  * add to /etc/postfix/master.cf:

    vscan            unix  -  n  n  -  10  pipe user=amavis argv=/usr/sbin/amavis ${sender} ${recipient}
    localhost:10025  inet  n  -  n  -  -  smtpd -o content_filter=
  * reload postfix
    #/etc/init.d/postfix reload
   

------------test the app-----------------------
代码:

#clamscan -r -l /root/xiyang/scan_repost /var/vmail/  /******扫描/var/vmail下的所有邮件,并将扫描结果保存在/root/xiyang下的scan_report文件中*/
# less scan_report

--------------------------------------
Scan started: Sun Dec 28 14:48:29 2003


-- summary --
Known viruses: 11964
Scanned directories: 1049
Scanned files: 1657
Infected files: 0
Data scanned: 102.24 MB
I/O buffer size: 131072 bytes
Time: 33.310 sec (0 m 33 s)
--------------------------------------
Scan started: Sun Dec 28 14:52:13 2003

/var/vmail//root/new/1030594139.21504_0.yovole.com,S=165330: Exploit.IFrame.Gen FOUND
......................

代码:

#cd /var/vmail//root/new/
# cat 1030930201.10626_0.yovole.com\,S\=143154\:2\, | mail -s "xiyangtest" xiyang@yovole.com
#tail -f /var/log/maillog | grep virus
Dec 29 19:48:52 mail amavisd[26510]: Virus found (message-id=<20031229114851.BE6AB256D6D@mail.yovole.com>) - quarantined as virus-20031229-194852-26510
Dec 29 19:48:54 mail postfix/smtpd[25205]: 10C35256D71: reject: RCPT from localhost.localdomain[127.0.0.1]: 450 <virusalert>: User unknown in local recipient table; from=<postmaster> to=<virusalert> proto=ESMTP helo=<localhost>
Dec 29 19:48:55 mail amavisd[26523]: mail forwarding failed, retry: Temporary reject by MTA: 450 <virusalert>: User unknown in local recipient table (message-id=<20031229114852.90811256D6D@mail.yovole.com>)
Dec 29 19:48:55 mail postfix/pipe[25194]: 90811256D6D: to=<virusalert>, relay=vscan, delay=3, status=deferred (temporary failure)
#cd /var/virtusmail
#ls
virus-20031229-184553-14247  virus-20031229-184757-14607  virus-20031229-185221-15290  virus-20031229-194852-26510
virus-20031229-184616-14330  virus-20031229-184853-14767  virus-20031229-194810-26292

------------------------------
作者:xiyang@sharesec.com
欢迎大家交流。并指正错误。


[此贴被 XiYang(cimsxiyang) 在 07月22日09时40分 编辑过]

地主 发表时间: 03-12-29 13:45
回复: Garu [syshunter]   版主   登录
8错,好东西

B1层 发表时间: 04-01-05 10:36

论坛: UNIX系统

20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon

粤ICP备05087286号