UNKNOWN CLAMD RETURN

UxBoD uxbod at splatnix.net
Fri Jul 20 08:01:22 IST 2007 

All looks good Jules :D 

Output from MailWatch :- 

20/07/07 
02:52:38 XXXXXX at XXXXXX XXXXXX at XXXXX.com cialis and viagra for Everyone! 2.5Kb 29.70 Spam 
Virus (Email.Hdr.Sanesecurity.07012400) 

cialis and viagra for Everyone! 
Size: 2.5Kb 
Anti-Virus/Dangerous Content Protection 
Virus: Y 
Blocked File: N 
Other Infection: N 
Report: Clamd: message.header was infected: Email.Hdr.Sanesecurity.07012400 FOUND 

Now able to report against Viruses/Malware and SPAM :) 

Rank Virus Percentage of detection Count 

1 	Email.Stk.Gen592.Sanesecurity.07071801.pdf 			60% 	129 
2 	Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 			11% 	23 
3 	Email.Spam.Gen1007.Sanesecurity.07071800 			8% 	17 
4 	Html.Loan.Gen006.Sanesecurity.06120200 			8% 	17 
5 	Email.Hdr.Sanesecurity.07012400 			6% 	12 
6 	Email.Spam.Gen465.Sanesecurity.07050603 			2% 	5 
7 	Html.Img.Gen013.Sanesecurity.06112900 			2% 	5 
8 	Html.Phishing.Bank.Rockv2Gen28.Sanesecurity.07061800 			1% 	2 
9 	Email.Spam.Gen595.Sanesecurity.07052401 			1% 	2 
10 	Email.Spam.Gen903.Sanesecurity.07062812 			1% 	2 
Another chink in the armour of the commercial AV/AP solution that the company I work for uses. MailScanner should be taking it over *very* soon now :D 

Thanks again to Rick and Jules. (and SaneSecurity for producing great additional ClamAV signatures) 

----- Original Message ----- 
From: "Julian Field" <MailScanner at ecs.soton.ac.uk> 
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info> 
Sent: Thursday, July 19, 2007 8:16:07 PM (GMT) Europe/London 
Subject: Re: UNKNOWN CLAMD RETURN 

Sorry, forgot the attachment as usual! 

Julian Field wrote: 
> * PGP Signed: 07/19/07 at 19:50:56 
> 
> Please try the attached patch to SweepViruses.pm and let me know how 
> you get on. 
> 
> MailWatch may well not like it completely, as I changed "$part was" to 
> "headers were" so it will fail to match if Steve looks for "was", but 
> I'm sticking to English grammar, unless "the entire message was" works 
> better. 
> 
> Please try both and tell me if MailWatch is happy with "the entire 
> message was" and I'll change my code. 
> 
> Has someone actually got an entire message that triggers this code, so 
> that we can test it on a real message? 
> 
> Cheers, 
> Jules. 
> 
> 
> Julian Field wrote: 
>> > Old Signed: 07/19/07 at 19:12:27 
>> 
>> 
>> 
>> Rick Cooper wrote: 
>>> 
>>> 
>>> > -----Original Message----- 
>>> > From: mailscanner-bounces at lists.mailscanner.info > 
>>> [mailto:mailscanner-bounces at lists.mailscanner.info] On > Behalf Of 
>>> UxBoD 
>>> > Sent: Thursday, July 19, 2007 9:36 AM 
>>> > To: MailScanner discussion 
>>> > Subject: Re: UNKNOWN CLAMD RETURN 
>>> > > Not sure on that Rick as we do not use the reports. In > 
>>> MailWatch it shows as :- 
>>> > > Clamd: message.header was infected: > 
>>> Email.Hdr.Sanesecurity.07061900 FOUND 
>>> > > so message.header could be changed to the word SPAM. 
>>> 
>>> 
>>> Do you know what happens to the message? The reason I ask is I can't 
>>> remember what MailScanner does to the message when it cannot find 
>>> $infections->{"$id"}{"$part"} in it's list of associated files (or 
>>> safnames 
>>> I think). 
>> To add a report for the entire message, set $part to "". So if you 
>> add a virus report for the whole message, then the whole message will 
>> be treated as infected. Whether adding this will require a slight 
>> change to MailWatch, I don't know. But that's the right way to do it. 
>> Very dangerous to add a report for an attachment filename that 
>> doesn't exist! 
>> 
>>> It may pass the message untouched and it may remove the entire 
>>> body I just cannot remember what the reflex would be in this situation. 
>>> Perhaps Julian can answer that. MailWatch is just looking for 
>>> something to 
>>> match the regex in functions.php (IIRC) but MailScanner may end up 
>>> delivering the message and I need to make sure that doesn't happen. 
>>> 
>> 
>> Jules 
>> 
> 
> Jules 
> 

Jules 

-- 
Julian Field MEng CITP 
www.MailScanner.info 
Buy the MailScanner book at www.MailScanner.info/store 

MailScanner customisation, or any advanced system administration help? 
Contact me at Jules at Jules.FM 

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 
For all your IT requirements visit www.transtec.co.uk 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070720/7db180c2/attachment-0001.html

More information about the MailScanner mailing list