ClamAV Milter E-Mail notification

When running Postfix with clamav-milter you often configure the server to reject the email on SMTP time.

It’s possible to let the recipient know, that an email contained a virus and was rejected with the following configuration in /etc/clamav/clamav-milter.conf

SupportMultipleRecipients true
VirusAction /usr/local/bin/virus-alert.py

In order to generate the notification email I created a very simple Python script to compose the email and send it via the local sendmail binary.
While it is very basic on one side (e.g. no logging or exception handling), it is able to decode MIME encoded input headers on the other. A lot of VirusAction example scripts out there don’t do that, which was the reason to create it.
Maybe it useful for someone else as well.

/usr/local/bin/virus-alert.py

#!/usr/bin/env python3
import sys
from email.header import decode_header, make_header
import socket
from string import Template
import textwrap
from email.mime.text import MIMEText
import subprocess

hostname = socket.gethostname()
alert_subject = '[Virus-Alert]: An infected E-Mail has been rejected'
alert_sender = 'postmaster@{}'.format(hostname)

msg = {}
msg['hostname'] = hostname
msg['virus'] = sys.argv[1]
msg['id'] = sys.argv[2]
msg['sender'] = str(make_header(decode_header(sys.argv[3])))
msg['recipient'] = str(make_header(decode_header(sys.argv[4])))
msg['subject'] = str(make_header(decode_header(sys.argv[5])))
msg['rid'] = sys.argv[6]
msg['date'] = sys.argv[7]

template = Template('''
  This message was generated by the Antivirus system running on $hostname.
  The following message was rejected. No further action is required.
  
  Signature :  $virus
  Date      :  $date
  Subject   :  $subject
  Sender    :  $sender
  Recipient :  $recipient
  ID        :  $id
''')

mail = MIMEText(textwrap.dedent(template.substitute(**msg)), 'plain', 'utf-8')
mail['From'] = alert_sender
mail['To'] = msg['recipient']
mail['Subject'] = alert_subject
s = subprocess.Popen(['/usr/sbin/sendmail', '-t', '-oi'], stdin=subprocess.PIPE, universal_newlines=True)
s.communicate(mail.as_string())

The setup can be tested with the following shell command. clamav-milter will invoke the script the same way. The recipient of the test email will be root.

/usr/local/bin/virus-alert.py \
"Heuristics.Phishing.Email.SpoofedDomain" \
"123456" \
"evil-sender@example.com" \
"root" \
"VirusAction Test" \
"123456" \
"$(date --rfc-2822)"

Schreibe einen Kommentar