UNKNOWN CLAMD RETURN

Julian Field MailScanner at ecs.soton.ac.uk
Fri Jul 20 11:16:41 IST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

But can you try the exact wording I have in my infection message please? 
Does MailWatch handle that okay?

UxBoD wrote:
> All looks good Jules :D
>
> Output from MailWatch :-
>
> 20/07/07
> 02:52:38         XXXXXX at XXXXXX         XXXXXX at XXXXX.com         cialis 
> and viagra for Everyone!         2.5Kb         29.70         Spam
> Virus (Email.Hdr.Sanesecurity.07012400)
>
> cialis and viagra for Everyone!
> Size:        2.5Kb
> Anti-Virus/Dangerous Content Protection
> Virus:         Y
> Blocked File:         N
> Other Infection:         N
> Report:        Clamd: message.header was infected: 
> Email.Hdr.Sanesecurity.07012400 FOUND
>
> Now able to report against Viruses/Malware and SPAM :)
>
> Rank 	Virus 	Percentage of detection 	Count
> 1 	Email.Stk.Gen592.Sanesecurity.07071801.pdf 	
>   	 60%
>
> 	129
> 2 	Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 	
>   	 11%
>
> 	23
> 3 	Email.Spam.Gen1007.Sanesecurity.07071800 	
>   	 8%
>
> 	17
> 4 	Html.Loan.Gen006.Sanesecurity.06120200 	
>   	 8%
>
> 	17
> 5 	Email.Hdr.Sanesecurity.07012400 	
>   	 6%
>
> 	12
> 6 	Email.Spam.Gen465.Sanesecurity.07050603 	
>   	 2%
>
> 	5
> 7 	Html.Img.Gen013.Sanesecurity.06112900 	
>   	 2%
>
> 	5
> 8 	Html.Phishing.Bank.Rockv2Gen28.Sanesecurity.07061800 	
>   	 1%
>
> 	2
> 9 	Email.Spam.Gen595.Sanesecurity.07052401 	
>   	 1%
>
> 	2
> 10 	Email.Spam.Gen903.Sanesecurity.07062812 	
>   	 1%
>
> 	2
>
>
> Another chink in the armour of the commercial AV/AP solution that the 
> company I work for uses.  MailScanner should be taking it over *very* 
> soon now :D
>
> Thanks again to Rick and Jules. (and SaneSecurity for producing great 
> additional ClamAV signatures)
>
> ----- Original Message -----
> From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Sent: Thursday, July 19, 2007 8:16:07 PM (GMT) Europe/London
> Subject: Re: UNKNOWN CLAMD RETURN
>
> Sorry, forgot the attachment as usual!
>
> Julian Field wrote:
> > * PGP Signed: 07/19/07 at 19:50:56
> >
> > Please try the attached patch to SweepViruses.pm and let me know how
> > you get on.
> >
> > MailWatch may well not like it completely, as I changed "$part was" to
> > "headers were" so it will fail to match if Steve looks for "was", but
> > I'm sticking to English grammar, unless "the entire message was" works
> > better.
> >
> > Please try both and tell me if MailWatch is happy with "the entire
> > message was" and I'll change my code.
> >
> > Has someone actually got an entire message that triggers this code, so
> > that we can test it on a real message?
> >
> > Cheers,
> > Jules.
> >
> >
> > Julian Field wrote:
> >> > Old Signed: 07/19/07 at 19:12:27
> >>
> >>
> >>
> >> Rick Cooper wrote:
> >>>  
> >>>
> >>>  > -----Original Message-----
> >>>  > From: mailscanner-bounces at lists.mailscanner.info  >
> >>> [mailto:mailscanner-bounces at lists.mailscanner.info] On  > Behalf Of
> >>> UxBoD
> >>>  > Sent: Thursday, July 19, 2007 9:36 AM
> >>>  > To: MailScanner discussion
> >>>  > Subject: Re: UNKNOWN CLAMD RETURN
> >>>  >  > Not sure on that Rick as we do not use the reports.  In  >
> >>> MailWatch it shows as :-
> >>>  >  > Clamd: message.header was infected:  >
> >>> Email.Hdr.Sanesecurity.07061900 FOUND
> >>>  >  > so message.header could be changed to the word SPAM.
> >>>
> >>>
> >>> Do you know what happens to the message? The reason I ask is I can't
> >>> remember what MailScanner does to the message when it cannot find
> >>> $infections->{"$id"}{"$part"} in it's list of associated files (or
> >>> safnames
> >>> I think).
> >> To add a report for the entire message, set $part to "". So if you
> >> add a virus report for the whole message, then the whole message will
> >> be treated as infected. Whether adding this will require a slight
> >> change to MailWatch, I don't know. But that's the right way to do it.
> >> Very dangerous to add a report for an attachment filename that
> >> doesn't exist!
> >>
> >>>  It may pass the message untouched and it may remove the entire
> >>> body I just cannot remember what the reflex would be in this 
> situation.
> >>> Perhaps Julian can answer that. MailWatch is just looking for
> >>> something to
> >>> match the regex in functions.php (IIRC) but MailScanner may end up
> >>> delivering the message and I need to make sure that doesn't happen.
> >>>  
> >>
> >> Jules
> >>
> >
> > Jules
> >
>
> Jules
>
> -- 
> Julian Field MEng CITP
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
>
> MailScanner customisation, or any advanced system administration help?
> Contact me at Jules at Jules.FM
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> For all your IT requirements visit www.transtec.co.uk
>
>
> -- 
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean. 

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
Charset: UTF-8

wj8DBQFGoIuKEfZZRxQVtlQRAjgyAJ4wCb3qLBl23pEdBxxHF+Qb8Eci8QCcCDwu
w643K2td+bPwQioYCko2I6Q=
=n4Me
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk



More information about the MailScanner mailing list