Scanning email as it arrives

Discussions relating to ClamXav

Moderator: Mark

Postby IronTooth » Sat 02 May 2009 11:58 am

Jim -

Apologies for the delay in responding. I'm using a different mail program now, and haven't looked at this in several months. I never did get to the point of being satisfied that the script approach was working well, and abandoned the idea. Part of the problem was probably due to the fact that I am fairly clueless when working in AppleScript.

Sorry I can't be more help...

- Don
IronTooth
 
Posts: 22
Joined: Sun 26 Feb 2006 1:03 pm

Postby IronTooth » Mon 07 Sep 2009 1:49 pm

Jim -

I tried your new version of the Apple Mail script in Tiger, and still get the 'Home directory full' message, and/or Apple Mail crashing.

As I said previously, I am no longer using Mail as my default email client. I'm using PowerMail, and have been working on a script for that client, which I will share soon. It seems to be working fine (no errors or crashing as in Mail), but I can't get the eicar sample into an incoming message to try. The two ISPs that I use are running antivirus software: with one, the test message is never delivered; on the other, I get a message stating that the virus was stripped out. I can run the script on already received messages, but it is not helpful because PowerMail detaches the attachments upon receipt. I am currently having Sentry scan the user's attachments folder, but would like the script to work for the added protection against phishing and such.

Update soon (I hope!)

- Don
- Don
IronTooth
 
Posts: 22
Joined: Sun 26 Feb 2006 1:03 pm

Postby IronTooth » Tue 15 Sep 2009 1:30 am

Hey, all -

Here's the script as I have it adapted for use with PowerMail. I have been running it for a couple of weeks with no instability or other issues. To some extent, it is redundant, in that PowerMail automatically detaches attachments to a designated folder, so Sentry can monitor that and catch any attached malware. The script approach, however, also catches the phishing stuff that clamav 'knows' about. Since my ISPs both have some sort of virus filtering, I haven't been able to verify that it scans attachments successfully, but it has gotten a couple of hits on 'phish'. I have a filter (the first in my list) set up to run this script. As run, it assigns a label to malware. The next filter on the list looks for the label and puts it in a folder named '_Quarantine'. There is code in the script to optionally change the subject text, but I like the label approach for my purposes. Anyhow - here it is:

Code: Select all
-- This script is for running a virus scan on an incoming email message in PowerMail

-- notes: 

-- 1) PowerMail detaches all attachments upon receipt into the user's Attachments folder;
--      if you are only interested in malware attachments you can have Sentry scan that folder.
--     If so, the main benefit of this script is for phishing and similar scams detected by clamav.
-- 2)  Running this script will make monitoring the Attachments folder redundant.
-- 3)  Since attachments are deleted when the message is deleted, there is no need to find malware
--      on disk if you delete the message.
-- 4) Can tag infected email subject lines with "[**VIRUS** - ClamAV]"  or label the message
-- 5) There are several commented-out commands that may be used for diagnostics.
-- 6) This script assumes a standard installation of ClamXav and clamd process running
--     (e.g. - ClamXav sentry running at startup)
-- 7) Other settings:
--    In clamd.conf, find option ScanMail and set to: ScanMail no (default yes, commented out with #)
--    In ClamXav prefs, General pane - Uncheck "Scan e-mail content for malware and phishing"

-- Derived from the Apple Mail scanning script that has evolved at Mark's Software Forums
--   http://markallan.co.uk/BB/viewforum.php?f=1
--     Sticky: Scanning email as it arrives

tell application "PowerMail"
   set theMessages to current messages
   repeat with theMsg in theMessages
      set msgSource to source of theMsg
      -- display dialog "Message content = " & words 1 thru 20 of msgSource
      tell application "System Events"
         -- get a free name for a temporary file
         set tmpdir to (path to "temp" from user domain as text)
         set tmpnam to "tmp-clamAVscan"
         set tmpfil to tmpdir & tmpnam as text
         -- should usually be ok, but now add counter if file still exists
         set tmp to tmpfil
         set c to 0
         set ok to false
         repeat while (exists file tmpfil)
            set c to c + 1
            set tmpfil to (tmp & c) as text
         end repeat
         -- copy message to temporary file
         set f to (open for access file tmpfil with write permission)
         set eof of f to 0 -- overwrite file
         write msgSource to f as string
         close access f
      end tell
      
      try
         -- When testing, I had Label 9 assigned the text "ClamXav scanned"
         -- set label of theMsg to 9
         -- The following 2 lines were used to verify the ability to change the subject
         -- set currentSubject to subject of theMsg
         -- set subject of theMsg to "VS " & currentSubject
         set commandline to "/usr/local/clamXav/bin/clamdscan --quiet --stdout --config-file=/usr/local/clamXav/etc/clamd.conf  " & POSIX path of tmpfil
         -- display dialog "Clamd command line = " & commandline
         do shell script commandline
         
      on error errMsg number exitCode
         if (exitCode = 1) then
            -- In my PowerMail preferences, Label 10 is assigned the text "Virus Alert!".
            set label of theMsg to 10
            -- The following can be used to change the subject of the message
            -- set currentSubject to subject of theMsg
            -- set subject of theMsg to "[**VIRUS** - ClamAV]" & currentSubject
            -- The following line is for manual scans only for testing purposes
            -- display dialog "Virus Detected!"
            -- The following line (if activated) works with the included spam filters to move the message to the Spam folder.
            -- set spam rating of theMsg to 100            
         else
            display dialog "Clamd error: Exit Code = " & exitCode & ", Message = " & errMsg
            -- if user cancels script here, the temporary file will not be removed
         end if
      end try
      -- clean up temporary file
      tell application "System Events" to delete file tmpfil
   end repeat
end tell


As you can see, I have included a lot of comments, and also the commented-out code I used for testing.

Hopefully this can be useful for someone else trying to get mail scanning running on another scriptable client.
- Don
IronTooth
 
Posts: 22
Joined: Sun 26 Feb 2006 1:03 pm

Scanning "E-MAIL" etc ...

Postby Jim babcock » Sun 20 Sep 2009 10:04 pm

don: A great feat accomplished!...

A few questions:
1) Where/what is Powermail?
2) Is a 'filter' the same as Apple Mail's "Rules"?
3) Could you explain the terms "Label 9, 10. etc" in tems of Apple Mail?

Good work ,, thanx for posting

Cheers, Jim B
Following EDIT obsolete:
[EDIT] : I did learn 1 other thing: I had a Third rule re: looking for SPAM filter output FROM my ISP... To make my script work, I had to put THAT Rule FIRST in line... followed by the TWO rules to find a virus and change the message text...


[EDIT] Oct 14 09: I pulled BOTH rules out... My ISP changed the filtering scheme for SPAM so I just store any virus message in my Quarantine folder in APPLE MAil so no need for following:

""".. i.e. look for Message Subject changed to 'SPAM'; then run Rule on the message re: is there a Virus; and then run the final Rule to test if the message had a virus."""
Last edited by Jim babcock on Wed 14 Oct 2009 10:03 pm, edited 1 time in total.
V3.0.5/0.100.1_02 275.377
OS 10.10.5/24" iMac/4GB/VMWare 7.0.3 w/Win7x64
Jim babcock
 
Posts: 333
Joined: Sun 04 Jun 2006 2:51 pm
Location: Encinitas, Ca

Postby IronTooth » Mon 21 Sep 2009 1:10 am

Hi, Jim -

1) PowerMail is a commercial email client that many consider to be the spiritual successor to the ancient Claris Emailer. In fact, I just this year changed My Lady Technophobe over from a Quadra 650 running Claris Emailer to a G3 iMac running PowerMail, and she didn't have any trouble with the transition. I started using it on my PowerBook 1400 several years back (I think I was running Mac OS 8.6 at the time), and am using the current version on my Pismo under Tiger.

http://www.ctmdev.com/powermail/powerma ... _features/

2) In PowerMail, a 'filter' is indeed analogous to a Rule in Mail.

3) As delivered, (Tiger) Mail doesn't have an equivalent to PowerMail's labels (unless you consider the 'flag' to be a/the label). PowerMail allows you to assign one of 10 labels to an email message (think labels in Finder, and you'd be close). PowerMail keeps track of them internally by number (hidden from the user, except in scripting), while the user can assign both a name and a color to each label. I understand MailTags adds a flexible tagging system to Mail messages...

My priority/order for Rules/Filters is:

1) Does it contain a virus? If so, Quarantine it (2 filters).
2) If it comes from an interesting or trusted source, sort into folders by sender/category (e.g. - my bank, mailing lists, etc).
3) If it is labeled as spam by SpamAssassin, or by some additional rules that PowerMail provides, or if it is on my private blacklist, raise the span rating accordingly
4) If the spam rating is above a certain threshold, put it into the Spam folder.

I have SpamSieve, and have used it both in Mail and PowerMail, but since the ISP that delivers almost all of my spam has SpamAssassin running, I gain very little at this time by adding SpamSieve to the equation.

Someday I may decide to not bother with quarantining those messages identified as virus-containing, and just dump them into my SPAM folder for deletion (still with the 'Virus Alert!' label). That's why I included the line in the script that raises the 'spamminess' rating that PowerMail uses to filter for spam messages.
- Don
IronTooth
 
Posts: 22
Joined: Sun 26 Feb 2006 1:03 pm

Re: Mail script w/ clamXav NOW IT WORKS in Leo & SL

Postby Jim babcock » Tue 08 Dec 2009 10:05 pm

Hi Tony D: here is a copy of my scan approach (In "Scanning email as it arrives")

### NOTE TO ALL: Edited on Sept 3 #########
### AND AGAIN : Edited on Oct 14 2009############
### FINAL CHANGE: Feb 1, 2011################

BIG NOTE: Please refer to this post for the latest on using my script(s) to scan Apple Mail incoming messages.

Cheers, Jim B
Last edited by Jim babcock on Tue 01 Feb 2011 9:27 pm, edited 1 time in total.
V3.0.5/0.100.1_02 275.377
OS 10.10.5/24" iMac/4GB/VMWare 7.0.3 w/Win7x64
Jim babcock
 
Posts: 333
Joined: Sun 04 Jun 2006 2:51 pm
Location: Encinitas, Ca

local and IMAP _Quarantine and Quarantine mailboxes

Postby grahamperrin » Fri 02 Apr 2010 6:33 am

Jim babcock wrote:
Code: Select all
                  move thisMessage to mailbox "_Quarantine"



Three questions:

1. If there already exists an IMAP mailbox
Quarantine
(I see this in a Microsoft Exchange Server 2003 environment)
then is there value in creating a separate
_Quarantine
for this scripted approach?

2. Is the intention of the underscore to raise the mailbox, alphabetically?

3. Maybe answering the first question … where there are multiple IMAP servers, at least one of which includes a Quarantine, is it preferable for the script to move suspects to a local quarantine? (Not to a remote quarantine.)

I assume that local is preferred. Imagining that an IMAP server with virus protection may somehow refuse a scripted write (move) of an infected message that originated from a less well protected server.
grahamperrin
 
Posts: 91
Joined: Fri 22 May 2009 11:31 am

Scripts for Apple Mail Scans

Postby Jim babcock » Sat 03 Apr 2010 5:05 pm

grahamperrin:
Your queries:
1. Not sure (see #3 below)
2. Yes to be first folder in list
3. I would prefer a local folder for my control.

I now use an alternate script that uses Clamscan .. instead of clamDscan...
Clamd is faster; clamscan is much slower but considerably more accurate.

See: http://scriptbuilders.net/show_author_s ... cr_id=5420

Download the <clamscan-Script-Apple-Mail> if you want clamscan...
Or <Script-for-APPLE-Mail> if you want the clamd version

Cheers, Jim B
V3.0.5/0.100.1_02 275.377
OS 10.10.5/24" iMac/4GB/VMWare 7.0.3 w/Win7x64
Jim babcock
 
Posts: 333
Joined: Sun 04 Jun 2006 2:51 pm
Location: Encinitas, Ca

Re: Mail script w/ clamXav NOW IT WORKS in Leo & SL

Postby Jim babcock » Fri 07 May 2010 12:58 am

Sorry My error in posting
Jim B
V3.0.5/0.100.1_02 275.377
OS 10.10.5/24" iMac/4GB/VMWare 7.0.3 w/Win7x64
Jim babcock
 
Posts: 333
Joined: Sun 04 Jun 2006 2:51 pm
Location: Encinitas, Ca

USing clamscan IN PLACE OF clamdscan... Works in SL ....

Postby Jim babcock » Wed 12 May 2010 4:16 pm

All deleted to fix confusion of too many "Scripts" floating around the Forum.

Use this post for a correct sample of usage.

Cheers, Jim B
Last edited by Jim babcock on Tue 01 Feb 2011 9:44 pm, edited 1 time in total.
V3.0.5/0.100.1_02 275.377
OS 10.10.5/24" iMac/4GB/VMWare 7.0.3 w/Win7x64
Jim babcock
 
Posts: 333
Joined: Sun 04 Jun 2006 2:51 pm
Location: Encinitas, Ca

accuracy and performance of clamd clamdscan and clamscan

Postby grahamperrin » Sat 17 Jul 2010 7:18 pm

Jim babcock wrote:<clamscan> is … more accurate according to the MAN pages for <clamdscan>.


http://www.clamxav.com/BB/viewtopic.php?t=2022 is
accuracy and performance of clamd clamdscan and clamscan
(I'm confused …)
grahamperrin
 
Posts: 91
Joined: Fri 22 May 2009 11:31 am

Re: clamxav and entourage

Postby alvarnell » Thu 10 Feb 2011 6:20 pm

edson wrote:is it possible to use clamxav to scan incoming messages in entourage?
Perhaps, if you are using the latest 2011 version of Entourage. Older versions put all of the mail in one big file which is generally too big to scan and even if you could then tried to quarantine or move that file you will lose all of your email.
-Al-
--
iMac(21.5-inch, Mid 2011) 2.8GHz Intel Core i7/OSX 10.10.5, 10.11.6, 10.12.6 & 10.13.6/ClamXAV v3.0.9 (7713)/0.100.2_01
iMac(Retina 5K, 27-inch, 2017) 4.2GHz Intel Core i7/macOS 10.12.6, 10.13.6 & 10.14.5/ClamXAV v3.0.11 (7899)/0.101.2_09
alvarnell
Site Admin
 
Posts: 5509
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: Scanning email as it arrives

Postby AMCarter3 » Thu 06 Oct 2011 6:39 am

Does this method for scanning email work with Mail in Snow Leopard?

[quote="jow"]Using Sentry in the preferences and in the Menu Bar, the path to scan emails as they arrive in your inbox is as follows:-
Users/YOUR NAME/Library/Mail/YOUR EMAIL ADDRESS/INBOX.mbox/Messages. Make sure you select the right email address usually it is preceded by POP-. This is using Mac/Apple Mail on a G4/5 RUNNING TIGER 10.4.1. (PLEASE NOTE THIS IS FOR TIGER ONLY).
I have run out of complements for Mark with this programme. There are a few minor teething troubles with version 1.0 but it is an excellent piece of work!!!!!!!!!![/quote]
Mac
MacBook AIR, 8 GB Ram
AMCarter3
 
Posts: 23
Joined: Fri 23 May 2008 10:56 pm

Re: Scanning email as it arrives

Postby mundkur » Thu 06 Oct 2011 7:04 am

AMCarter3 wrote:Does this method for scanning email work with Mail in Snow Leopard?

jow wrote:Using Sentry in the preferences and in the Menu Bar, the path to scan emails as they arrive in your inbox is as follows:-
Users/YOUR NAME/Library/Mail/YOUR EMAIL ADDRESS/INBOX.mbox/Messages. Make sure you select the right email address usually it is preceded by POP-. This is using Mac/Apple Mail on a G4/5 RUNNING TIGER 10.4.1. (PLEASE NOTE THIS IS FOR TIGER ONLY).
I have run out of complements for Mark with this programme. There are a few minor teething troubles with version 1.0 but it is an excellent piece of work!!!!!!!!!!

The foregoing was relevant to ClamXav Version 1, but we are now at Version 2.2.2. To scan e-mail, simply select the check box in ClamXav Preferences "General" tab and, preferably, set up ClamXav Sentry to scan your Mail Downloads and other folders that may import malware. When scanning e-mail with ClamXav, it is preferable to not use the options to quarantine or delete suspect files automatically, as this may lead to avoidable complications with your mailboxes. Please refer to the various threads on this forum to handle malware in e-mail without quarantine or automatic delete using ClamXav.
ClamXav 2.3.4 / Mac OS 10.8.2 / 21.5" iMac (mid 2011) / 2.5 GHz Intel Core i5 / 8 GB RAM
mundkur
 
Posts: 334
Joined: Mon 07 Jun 2010 2:04 pm
Location: Bangalore, India

Re: Scanning email as it arrives

Postby AMCarter3 » Thu 06 Oct 2011 7:10 am

So, I should turn OFF "Quarantine" in the Sentry Pref. Is there any other pref to turn OFF?

[quote="mundkur"][quote="
The foregoing was relevant to ClamXav Version 1, but we are now at Version 2.2.2. To scan e-mail, simply select the check box in ClamXav Preferences "General" tab and, preferably, set up ClamXav Sentry to scan your Mail Downloads and other folders that may import malware. When scanning e-mail with ClamXav, it is preferable to not use the options to quarantine or delete suspect files automatically, as this may lead to avoidable complications with your mailboxes. Please refer to the various threads on this forum to handle malware in e-mail without quarantine or automatic delete using ClamXav.[/quote]
Mac
MacBook AIR, 8 GB Ram
AMCarter3
 
Posts: 23
Joined: Fri 23 May 2008 10:56 pm

PreviousNext

Return to ClamXav

Who is online

Users browsing this forum: No registered users

cron