## Sagator unnoficial configuration file, modified by David Zejda. ## Most of original comments are deleted - please consult the sagator.conf, ## that comes with your Sagator distribution.. from avlib import * from scanners import * from srv import * ## Which mails are considered spam; should be the same as the ## required_hits in spamassassin config. ## Should be declared even in case you don't use the variable in ## your config - it's needed by sagator internal scanners like ## "rewrite". SPAM_TRESHOLD=4.0 ## Rewrites the name of spam to something more useful.. ## Used in antispam scanner chains below.. class rewrite_name(rename): name='rewrite_name()'; def scanstream(self,stream): level,detected,virlist=match_any.scanstream(self,stream) ## Clean messages leave untouched if not is_infected(level,detected): return level,detected,virlist ## These replace variables may be used in new virname definition.. repl_vars={ 'VNAME': detected, 'LEVEL': str(level), 'STARS': '*'*int(level*SPAM_TRESHOLD), } ## The "detected" is modified, others left unchanged.. return level,replace_tmpl(self.NEWNAME,repl_vars),virlist ## Custom definition of quarantine report message. ## Dozens of predefined replace variables may be used here.. REPORT_MSG='''\ From: %(FROM)s To: %(TO)s Subject: Do vasi schranky smeroval virus %(VIRNAME)s! Reply-To: resurect@o-it.info VIRUS NALEZEN A PRESUNUT DO KARANTENY! --------------------------------------------------------------------- Do vasi e-mailove schranky smerovala zprava, ktera v priloze obsahovala virus. Nebezpecnou prilohu jsme odstranili a presunuli do karanteny na nasem postovnim serveru. Pokud jste si jisti, ze si prejete *nebezpecnou* prilohu dostat, prosim preposlete tuto zpravu na adresu resurect@o-it.info a my vam ji zahy vratime. --------------------------------------------------------------------- STATUS: %(STATUS)s ULOZENO DO KARANTENY JAKO: %(QNAME)s --------------------------------------------------------------------- SMTP KOMUNIKACE: %(SMTP_COMM)s --------------------------------------------------------------------- HLAVICKA ZPRAVY: %(MSG_HEADER)s --------------------------------------------------------------------- SKENER: %(SCANNER_NAME)s %(SCANNER_OUTPUT)s ''' ## Debugging level, 0=errors only, 1=return status, init messages, ## 2=smtp server communication, 3=detailed smtp server communication, ## 4=tracebacks, 5=smtp client communication DEBUG_LEVEL=3 ## System settings - Debian standard config CHROOT='/var/spool/vscan' LOGFILE=CHROOT+'/var/log/sagator/sagator.log' USER,GROUP='vscan','vscan' SMTP_SERVER=('127.0.0.1',26) ## Classes of mails according to infection, may be used in the following ## scanner configs; unused classes are commented out. DROP_INFECTED='.' # DROP_SELECTED=drop.DEFAULT # DROP_NOTHING='dasfadsffad' # DROP_EVERYTHING='' SCANNERS=[ log(3,log.FORMAT, status("Virus", ## Store it for future recovery... quarantine('/tmp/quarantine/%Y%m','', ## Drop messages bigger than 7MBs ## Commented out - I prefer message_size_limit in Postfix config # drop(DROP_NOTHING, # max_file_size(7*1024*1024,'FileSizeOverrun (Priloha vetsi nez 7MB)') & ## Drop mail with executables attached ## Delete mail with attached executables (exe,com,scr..) parsemail(file_type({'exe': 'Executable (Spusitelny soubor)'})), # ) ), ## Send the notification to recipients, that the message has been ## quarantined and what to do if they really want it... report_recipients(REPORT_MSG, ## Store it for future recovery... quarantine('/tmp/quarantine/%Y%m','', ## Delete without delivery... drop(DROP_INFECTED, stream2mbox(libclam()), ) ) ) ), status("Spam", ## If the sagator spam level is <1.0, the message is considered clean, so ## the virus name is empty. ## Drop anything with sagator spam level bigger than 1,75 (synonymously ## Also store spamassassin's output to 't' cached variable. ## spamassassin spam hits bigger than 1.75*SPAM_TRESHOLD). drop('.', rename('$STARS', cache('t', spamassassind(['127.0.0.1',783]) )>=const(1.75) ) ), ## Otherwise (if the level is between 1.0 and 1.75), set the virus name ## to spamassassin spam hits, represented by asterisks (like "*****") ## and force delivery. deliver( modify_subject('[%V]', ## Subject is set to something like "SPAM ****" rewrite_name('$VNAME $STARS', cache('t') ) ) ) ) ) ] SRV=[ collector('127.0.0.1',28), smtpd(SCANNERS,'127.0.0.1',27) ]