UNKNOWN CLAMD RETURN

[UxBoD]

I have about 600 messages which we have received today Jules ;) The SANE ClamAV signatures are working very well.  Could you attach the patch please and I will try in the morning :) Thanks Rick and Jules.
----- Original Message -----
From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Sent: Thursday, July 19, 2007 7:50:55 PM (GMT) Europe/London
Subject: Re: UNKNOWN CLAMD RETURN

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Please try the attached patch to SweepViruses.pm and let me know how you 
get on.

MailWatch may well not like it completely, as I changed "$part was" to 
"headers were" so it will fail to match if Steve looks for "was", but 
I'm sticking to English grammar, unless "the entire message was" works 
better.

Please try both and tell me if MailWatch is happy with "the entire 
message was" and I'll change my code.

Has someone actually got an entire message that triggers this code, so 
that we can test it on a real message?

Cheers,
Jules.


Julian Field wrote:
> * PGP Signed: 07/19/07 at 19:12:27
>
>
>
> Rick Cooper wrote:
>>  
>>
>>  > -----Original Message-----
>>  > From: mailscanner-bounces at lists.mailscanner.info  > 
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On  > Behalf Of 
>> UxBoD
>>  > Sent: Thursday, July 19, 2007 9:36 AM
>>  > To: MailScanner discussion
>>  > Subject: Re: UNKNOWN CLAMD RETURN
>>  >  > Not sure on that Rick as we do not use the reports.  In  > 
>> MailWatch it shows as :-
>>  >  > Clamd: message.header was infected:  > 
>> Email.Hdr.Sanesecurity.07061900 FOUND
>>  >  > so message.header could be changed to the word SPAM.
>>
>>
>> Do you know what happens to the message? The reason I ask is I can't
>> remember what MailScanner does to the message when it cannot find
>> $infections->{"$id"}{"$part"} in it's list of associated files (or 
>> safnames
>> I think).
> To add a report for the entire message, set $part to "". So if you add 
> a virus report for the whole message, then the whole message will be 
> treated as infected. Whether adding this will require a slight change 
> to MailWatch, I don't know. But that's the right way to do it. Very 
> dangerous to add a report for an attachment filename that doesn't exist!
>
>>  It may pass the message untouched and it may remove the entire
>> body I just cannot remember what the reflex would be in this situation.
>> Perhaps Julian can answer that. MailWatch is just looking for 
>> something to
>> match the regex in functions.php (IIRC) but MailScanner may end up
>> delivering the message and I need to make sure that doesn't happen.
>>   
>
> Jules
>

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
Charset: ISO-8859-1

wj8DBQFGn7KQEfZZRxQVtlQRAojNAKCOxAstIJ9gfJrUtz8JDLfQ2RhBQQCeKxXj
QYCQPOyExyl7ACN2z6DU374=
=uSfc
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.