Home / server / Questions / 1150373
Accepted
Esa Jokinen
Asked: 2023-12-26 02:42:14 +0800 CST

How to make clamassassin prepend the X-Virus-* headers instead of appending them?

  • 772

The email virus filter wrapper for ClamAV, clamassassin, appends its headers to the message headers.

X-Virus-Status: No
X-Virus-Checker-Version: clamassassin 1.2.4 with clamscan / ClamAV 1.0.3/27134/Mon Dec 25 11:40:06 2023

It would be better that any MTA delivering the message only prepends to the headers, as RFC 5322, 3.6 suggests:

However, for the purposes of this specification, header fields SHOULD NOT be reordered when a message is transported or transformed. More importantly, the trace header fields and resent header fields MUST NOT be reordered, and SHOULD be kept in blocks prepended to the message. See sections 3.6.6 and 3.6.7 for more information.

For instance, spamassassin prepends its X-Spam-* headers above the existing headers. Why clamassassin does not do the same, and how to alter this behaviour? If, e.g., the .procmailrc had the following I would expect these headers to appear in the same place.

:0 fw
| clamassassin

:0 fw
| spamassassin
clamav

1 Answers

  1. Best Answer

    Reasons

    The clamassassin is an old shell script that was developed between 2003 and 2007 whereas RFC 5322 is more recent, dating back to 2008. Therefore, the author of clamassassin, James Lick, might not have been aware of such demands.

    Furthermore, clamassassin utilizes Procmail's formail(1) mail (re)formatter for adding the headers. As formail only has -a, -A, -i & -I that all appends to the headers it is impossible to alter this behaviour without a major rewrite of the script.

    Workaround

    As a workaround, I wrote a small script, mail-prepender.sh, that can be used to replace formail for the use case of clamassassin. It simply prepends all the headers given as any of those flags and keeps everything else intact. The flags -x & -X are also implemented as clamassassin uses -c -x for extracting the Subject header from the original headers.

    On Debian based systems, the script is configurable through /etc/default/clamassassin where you can add the path to this script as the path to formail by adding, e.g.,

    FORMAIL=/usr/local/bin/mail-prepender.sh

    Results

    Tested on Debian 12, where the beginning of the headers now look like this on clean results:

    Return-Path: <[email protected]>
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on mail.example.net
X-Spam-Status: No, score=-10.5 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,SPF_PASS,USER_IN_DEF_DKIM_WL
        autolearn=ham autolearn_force=no version=4.0.0
X-Virus-Status: No
X-Virus-Checker-Version: clamassassin 1.2.4 with clamscan / ClamAV 1.0.3/27134/Mon Dec 25 11:40:06 2023

    When ClamAV detects something the headers look like this:

    Return-Path: <[email protected]>
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on mail.example.net
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_PASS autolearn=ham
        autolearn_force=no version=4.0.0
X-Virus-Status: Yes
X-Virus-Report: Win.Test.EICAR_HDB-1 FOUND
X-Virus-Checker-Version: clamassassin 1.2.4 with clamscan / ClamAV 1.0.3/27132/Sat Dec 23 11:40:46 2023
    • 4