selectively NOT archiving

Michael Scheidell michael.scheidell at secnap.com
Wed Jul 20 22:46:40 CEST 2011 

I have a need to selectively NOT archive clean emails under certain 
circumstances.
we archive clean email on some servers, NOT because we want the emails, 
but because we want to feed VIRGIN emails back to SA for learning.
(exchange mashes the emails and headers.. imap wasn't so bad, but ews 
really mucks them up)
HOWEVER, I do NOT want to archive CLEAN emails > 400K.
(I still want to archive large viruses, attachments, and spam)

I have (almost) got this down, but just need last step. sql queries 
work, I can calculate size, read values, just want to DISABLE archiving 
for LARGE clean emails (note: maybe I am doing it in the wrong place, 
maybe I need a per-user loop.. since one users clean is another users 
spam.. but then again, maybe the flags are set on 
is_in_contents_category just fine)


using amavisd-custom.conf

use strict;
use DBI qw(:sql_types);
use DBD::mysql;
my $__archive_quarantine_in;
BEGIN {
   import Amavis::Conf qw(:platform :confvars c cr ca $myhostname 
$clean_quarantine_method @lookup_sql_dsn
   $sa_mail_body_size_limit);
   import Amavis::Util qw(do_log untaint safe_encode safe_decode);
}

sub new {
  my($class,$conn,$msginfo) = @_;
    my($self) = bless {}, $class;
    my($conn_h) = Amavis::Out::SQL::Connection->new(@lookup_sql_dsn);
    $self->{'conn_h'} = $conn_h;
    $self;  # returning an object activates further callbacks,
}

sub before_send {
     my($self,$conn,$msginfo) = @_;
     my($ll) = 3;  # log level (0 is the most important level, 1, 2,... 
5 less so)
     my($too_large) = $msginfo->msg_size > $sa_mail_body_size_limit;
     my($already_quarantined) = $msginfo->is_in_contents_category(
                    {CC_SPAMMY,1, CC_SPAM,1, CC_BANNED,1, CC_VIRUS,1} );

     if ($too_large) {
       if(! $already_quarantined && $clean_quarantine_method =~ /sql:/) {
           do_log(0, "CUSTOM: UNWANTED = $msg_size"."k > 
".($sa_mail_body_size_limit/1024)."k");
          # I want to NOT archive if it hits here.
         }
}

-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
 >*| *SECNAP Network Security Corporation

    * Best Mobile Solutions Product of 2011
    * Best Intrusion Prevention Product
    * Hot Company Finalist 2011
    * Best Email Security Product
    * Certified SNORT Integrator


______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20110720/f99ffc62/attachment.html>

More information about the amavis-users mailing list