综述:
世面上关于邮件病毒的软件很多,其中以perl的居多。我之所以选择amavis和clamav是因为这些都是c写,首先在性能上就具备了优势。同时,amavis具有很好的扩展性。可以把他理解为一个扫描框架,clamav是一个扫描引擎。当然,也可以使用其他扫描引擎。
:)
软件准备:
amavis-0.3.12.tar.gz
unarj-2.65-3.9.i386.rpm
zoo-2.10-11.9.i386.rpm
unrar-3.2.3-2.9.i386.rpm
clamav-0.65.tar.gz
arc-5.21e-6.i386.rpm
软件安装:
--------install clamav---------
CODE
#tar zvxf clamav-0.65.tar.gz
#cd clamav-0.65
# groupadd clamav
#useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav
#./configure
#make %26amp;%26amp; make install
#vi /usr/local/etc/clamav.conf
LogFile /var/log/clamd.log
LogFileMaxSize 2M
LogVerbose
LogTime
PidFile /var/run/clamd.pid
DataDirectory /usr/local/share/clamav
LocalSocket /tmp/clamd
MaxDirectoryRecursion 15
User clamav
ScanArchive
ArchiveMaxFileSize 10M
ArchiveMaxRecursion 5
ArchiveMaxFiles 1000
CODE
#clamd
# ps -aux | grep clamd
clamav 9896 0.0 0.7 26448 7220 ? S 04:27 0:00 /usr/local/sbin/clamd
root 22660 0.0 0.0 3548 616 pts/1 R 19:30 0:00 grep clamd
# echo /usr/local/sbin/clamd /etc/rc.d/rc.local
#clamscan -r test /*测试杀毒*/
#touch /var/log/clam-update.log
#chmod 644 /var/log/clam-update.log
#chown clamav /var/log/clam-update.log
# freshclam -d -c 2 -l /var/log/clam-update.log /*升级病毒库*/
#touch /etc/cron.daily/freshclam
CODE
#vi /etc/cron.daily/freshclam
#!/bin/bash
freshclam --quiet -d -c 2 -l /var/log/clam-update.log
CODE
#chmod a+xr /etc/cron.daily/freshclam
--------------------Install amavisd------------------
CODE
#rpm -ivh unarj-2.65-3.9.i386.rpm
#rpm -ivh zoo-2.10-11.9.i386.rpm
#rpm -ivh unrar-3.2.3-2.9.i386.rpm
#rpm -ivh arc-5.21e-6.i386.rpm
#tar zvxf amavis-0.3.12.tar.gz
#cd amavis-0.3.12
#groupadd amavis
#useradd amavis -g amavis -s /bin/nologin
#./configure --enable-postfix
#make %26amp;%26amp; make install
#vi /etc/amavisd.conf
$mailfrom_notify_admin ='xiyang@yovole.com'
$mailfrom_notify_recip = 'xiyang@yovole.com';
$mailfrom_notify_spamadmin = 'xiyang@yovole.com';
$virus_admin = 'xiyang@yovole.com';
$spam_admin = 'xiyang@yovole.com';
$final_virus_destiny = 0;
$final_spam_destiny = -1;
$sa_tag_level_deflt = 4;
$sa_kill_level_deflt = 6.9;
------------------edit the postfix config files-------------
* add to /etc/postfix/main.cf:
content_filter = vscan:
soft_bounce = yes
# For testing purposes it might make sense to use this
* add to /etc/postfix/master.cf:
vscan unix - n n - 10 pipe user=amavis argv=/usr/sbin/amavis ${sender} ${recipient}
localhost:10025 inet n - n - - smtpd -o content_filter=
* reload postfix
#/etc/init.d/postfix reload
------------test the app-----------------------
CODE
#clamscan -r -l /root/xiyang/scan_repost /var/vmail/ /******扫描/var/vmail下的所有邮件,并将扫描结果保存在/root/xiyang下的scan_report文件中*/
# less scan_report
--------------------------------------
Scan started: Sun Dec 28 14:48:29 2003
-- summary --
Known viruses: 11964
Scanned directories: 1049
Scanned files: 1657
Infected files: 0
Data scanned: 102.24 MB
I/O buffer size: 131072 bytes
Time: 33.310 sec (0 m 33 s)
--------------------------------------
Scan started: Sun Dec 28 14:52:13 2003
/var/vmail//root/new/1030594139.21504_0.yovole.com,S=165330: Exploit.IFrame.Gen FOUND
......................
CODE
#cd /var/vmail//root/new/
# cat 1030930201.10626_0.yovole.com\,S\=143154\:2\, | mail -s "xiyangtest" xiyang@yovole.com
#tail -f /var/log/maillog | grep virus
Dec 29 19:48:52 mail amavisd[26510]: Virus found (message-id=) - quarantined as virus-20031229-194852-26510
Dec 29 19:48:54 mail postfix/smtpd[25205]: 10C35256D71: reject: RCPT from localhost.localdomain[127.0.0.1]: 450 : User unknown in local recipient table; from= to= proto=ESMTP helo=
Dec 29 19:48:55 mail amavisd[26523]: mail forwarding failed, retry: Temporary reject by MTA: 450 : User unknown in local recipient table (message-id=)
Dec 29 19:48:55 mail postfix/pipe[25194]: 90811256D6D: to=, relay=vscan, delay=3, status=deferred (temporary failure)
#cd /var/virtusmail
#ls
virus-20031229-184553-14247 virus-20031229-184757-14607 virus-20031229-185221-15290 virus-20031229-194852-26510
virus-20031229-184616-14330 virus-20031229-184853-14767 virus-20031229-194810-26292
,
