better techniques to identify and remove zero-day viruses from cyrus store sought

John Crawford jmc-cyrus at
Tue Aug 21 13:25:06 EDT 2007


What's the best way, and second best way to react to zero-day virus
threats - messages that are delivered to the mail store before the
detection is in place? Is there a best practice that functions nicely
within the cyrus community?  Like a perl script that traverses the
mail store (via imap or cyrus utilities) and checks message content
against a antivirus command line?  And then safely within the cyrus
system deletes the message?  I can't do that. I don't have that
functionality. Can anyone share code or ideas to help make this

The second best I can think of is traverse and locate the storage
system from the command line, remove found exploited messages and
recontruct ASAP the mailboxes with changes.  Here we are working
outside of cyrus, so it's discouraged.

long line:
find /var/spool/imap/user/ -name "*\." -ctime -6h -print0 | xargs -0
clamscan | grep FOUND > badones

remove and reconstruct based on file badones.

As a related question, if I locate a message in the mail store from
command mode, and neuter some aspect of the vulnerability presented by
modifying the text of the stored message yet retaining the same
message size, are then internal cyrus structures that require
updating?  I seem to get good results from this, but I'm guessing
reconstruct afterwards is best. (and that the idea of modification
from the file system is, yes, discouraged).

thanks for any thoughts or ideas,


More information about the Info-cyrus mailing list