Well, I spent the last while debugging this and it looks to be a problem on the ClamAV side.

 

I redirected the output of ‘$Self->{ParserObject}->GetPlainEmail()’ to a temporary file, and when I try scan that file with clamscan/clamdscan I get no virus in the summary. So, it looks like something is stopping clamav from decoding the base64 attachment and determining that it is a virus and stopping the email going through.

 

I also found an old thread on the clamav list (http://comments.gmane.org/gmane.comp.security.virus.clamav.user/14873) where someone did something similar, so maybe the format of the mail has changed in recent OTRS versions.

 

Regards,

Pierce

 

From: otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] On Behalf Of Ward, Pierce
Sent: 27 September 2011 12:56
To: 'otrs@otrs.org'
Subject: [otrs] Clamdscan and PostMaster::Filter::CMD

 

Hello,

 

We are using a remote mail server by a 3rd party who don’t have the best A/V detection, so we want to scan incoming mails via the OTRS system. From a look at the docs, I believe we want to use the technique used by spam assassin  at the bottom of this page: http://doc.otrs.org/3.0/en/html/email-receiving.html

 

The problem is, I cannot get clamdscan to return whatever OTRS expects for it to ignore the email. Here is my setup from Config.pm:

 

        $Self->{'PostMaster::PreFilterModule'}->{'1-ClamAV'} = {

          Module => 'Kernel::System::PostMaster::Filter::CMD',

          CMD => '/usr/bin/clamdscan --stdout -| grep “FOUND”',

          Set => {

          'X-OTRS-Ignore' => 'yes',

        },

    };

 

Assuming it is a stream, the output of the command is:

$ cat eicar.com.txt | clamdscan --stdout - | grep FOUND

stream: Eicar-Test-Signature FOUND

 

Unfortunately, nothing happens and the mails make it into OTRS with a test-virus attached. I have tried changing the ‘CMD’ to a few different things (e.g. using clamscan instead), but no luck so far. I am sure OTRS is passing something to this command, as if I change it to “CMD => '/usr/bin/clamdscan”, then no tickets are created and I see this in the logs:

 

Sep 27 11:50:02 <server> OTRS-CGI-10[29783]: [Notice][Kernel::System::PostMaster::Filter::CMD::Run] Set param 'X-OTRS-Ignore' to 'yes' because of '/files/otrs/bin/cgi-bin: OK ' (Message-ID: <12345@host>)

 

Has anyone done anything like this before? Any ideas what syntax I can use in the CMD? Any help is appreciated.

 

Regards,

Pierce.

 

 

CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.

CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.