UNKNOWN CLAMD RETURN
Rick Cooper
rcooper at dwford.com
Fri Jul 20 11:42:46 IST 2007
Julian,
Thanks for jumping into this yesterday, I got buried yesterday and had
problems just getting to the first few messages let alone getting to email
period in the afternoon/evening.
Thanks
Rick
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On
> Behalf Of Julian Field
> Sent: Thursday, July 19, 2007 3:16 PM
> To: MailScanner discussion
> Subject: Re: UNKNOWN CLAMD RETURN
>
> Sorry, forgot the attachment as usual!
>
> Julian Field wrote:
> > * PGP Signed: 07/19/07 at 19:50:56
> >
> > Please try the attached patch to SweepViruses.pm and let
> me know how
> > you get on.
> >
> > MailWatch may well not like it completely, as I changed
> "$part was" to
> > "headers were" so it will fail to match if Steve looks for
> "was", but
> > I'm sticking to English grammar, unless "the entire
> message was" works
> > better.
> >
> > Please try both and tell me if MailWatch is happy with "the entire
> > message was" and I'll change my code.
> >
> > Has someone actually got an entire message that triggers
> this code, so
> > that we can test it on a real message?
> >
> > Cheers,
> > Jules.
> >
> >
> > Julian Field wrote:
> >> > Old Signed: 07/19/07 at 19:12:27
> >>
> >>
> >>
> >> Rick Cooper wrote:
> >>>
> >>>
> >>> > -----Original Message-----
> >>> > From: mailscanner-bounces at lists.mailscanner.info >
> >>> [mailto:mailscanner-bounces at lists.mailscanner.info] On
> > Behalf Of
> >>> UxBoD
> >>> > Sent: Thursday, July 19, 2007 9:36 AM
> >>> > To: MailScanner discussion
> >>> > Subject: Re: UNKNOWN CLAMD RETURN
> >>> > > Not sure on that Rick as we do not use the reports. In >
> >>> MailWatch it shows as :-
> >>> > > Clamd: message.header was infected: >
> >>> Email.Hdr.Sanesecurity.07061900 FOUND
> >>> > > so message.header could be changed to the word SPAM.
> >>>
> >>>
> >>> Do you know what happens to the message? The reason I
> ask is I can't
> >>> remember what MailScanner does to the message when it cannot find
> >>> $infections->{"$id"}{"$part"} in it's list of associated
> files (or
> >>> safnames
> >>> I think).
> >> To add a report for the entire message, set $part to "".
> So if you
> >> add a virus report for the whole message, then the whole
> message will
> >> be treated as infected. Whether adding this will require a slight
> >> change to MailWatch, I don't know. But that's the right
> way to do it.
> >> Very dangerous to add a report for an attachment filename that
> >> doesn't exist!
> >>
> >>> It may pass the message untouched and it may remove the entire
> >>> body I just cannot remember what the reflex would be in
> this situation.
> >>> Perhaps Julian can answer that. MailWatch is just looking for
> >>> something to
> >>> match the regex in functions.php (IIRC) but MailScanner
> may end up
> >>> delivering the message and I need to make sure that
> doesn't happen.
> >>>
> >>
> >> Jules
> >>
> >
> > Jules
> >
>
> Jules
>
> --
> Julian Field MEng CITP
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
>
> MailScanner customisation, or any advanced system
> administration help?
> Contact me at Jules at Jules.FM
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> For all your IT requirements visit www.transtec.co.uk
>
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list