Which AV is right :) ?
Desai, Jason
jase at SENSIS.COM
Thu Aug 12 20:31:43 IST 2004
>>> [raymond at vmx80 raymond]$ clamscan msg-29387-93.txt
>>> msg-29387-93.txt: OK
>>>
>>> [raymond at vmx80 raymond]$ clamscan --mbox msg-29387-93.txt
>>> msg-29387-93.txt: Worm.Zafi.B FOUND
>>>
>>> These ones walk right in if you are using only clam...
>>
>> Are you sure that the file contains valid mime headers that are not
>> broken because of a bounce message? Can you make that file
>> available via http?
>
> Sure, grab it at:
>
> http://mailscanner.prolocation.net/example.txt
I'm no expert, but it looks to me like there are no valid mime attachments
to this message. And it does look like a bounce message. My guess is that
the mta (in this case, it looks like qmail) sent a delivery failure message,
and just included the contents of the original message without making it a
mime attachment. So I think technically, a mail client should not be able
to decode the virus that was in the original message.
Maybe clam, when used with --mbox, will look for mime attachments anywhere
in the file (as if the file were an mbox) and not care if it is truly valid
or not.
Do you know of any clients that could successfully save that attachment?
(You may have to disable any desktop AV too, as it may detect it as well).
Jase
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
More information about the MailScanner
mailing list