UNKNOWN CLAMD RETURN

UxBoD uxbod at splatnix.net
Fri Jul 20 12:14:59 IST 2007


I put the original .pm back in and applied the patch. <slaps self round face as I patched my modified one :(>

This is what appears for a normal message :-

Clamd: msg-19428-1.html was infected: Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 FOUND

in maillog I get this :-

Jul 20 07:08:47 bianchi MailScanner[19442]: ERROR:: UNKNOWN CLAMD RETURN ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07051409 FOUND :: /var/spool/MailScanner/incoming/19442

Should I have left my original code in ?

----- Original Message -----
From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Sent: Friday, July 20, 2007 11:16:41 AM (GMT) Europe/London
Subject: Re: UNKNOWN CLAMD RETURN

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

But can you try the exact wording I have in my infection message please? 
Does MailWatch handle that okay?

UxBoD wrote:
> All looks good Jules :D
>
> Output from MailWatch :-
>
> 20/07/07
> 02:52:38         XXXXXX at XXXXXX         XXXXXX at XXXXX.com         cialis 
> and viagra for Everyone!         2.5Kb         29.70         Spam
> Virus (Email.Hdr.Sanesecurity.07012400)
>
> cialis and viagra for Everyone!
> Size:        2.5Kb
> Anti-Virus/Dangerous Content Protection
> Virus:         Y
> Blocked File:         N
> Other Infection:         N
> Report:        Clamd: message.header was infected: 
> Email.Hdr.Sanesecurity.07012400 FOUND
>
> Now able to report against Viruses/Malware and SPAM :)
>
> Rank 	Virus 	Percentage of detection 	Count
> 1 	Email.Stk.Gen592.Sanesecurity.07071801.pdf 	
>   	 60%
>
> 	129
> 2 	Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 	
>   	 11%
>
> 	23
> 3 	Email.Spam.Gen1007.Sanesecurity.07071800 	
>   	 8%
>
> 	17
> 4 	Html.Loan.Gen006.Sanesecurity.06120200 	
>   	 8%
>
> 	17
> 5 	Email.Hdr.Sanesecurity.07012400 	
>   	 6%
>
> 	12
> 6 	Email.Spam.Gen465.Sanesecurity.07050603 	
>   	 2%
>
> 	5
> 7 	Html.Img.Gen013.Sanesecurity.06112900 	
>   	 2%
>
> 	5
> 8 	Html.Phishing.Bank.Rockv2Gen28.Sanesecurity.07061800 	
>   	 1%
>
> 	2
> 9 	Email.Spam.Gen595.Sanesecurity.07052401 	
>   	 1%
>
> 	2
> 10 	Email.Spam.Gen903.Sanesecurity.07062812 	
>   	 1%
>
> 	2
>
>
> Another chink in the armour of the commercial AV/AP solution that the 
> company I work for uses.  MailScanner should be taking it over *very* 
> soon now :D
>
> Thanks again to Rick and Jules. (and SaneSecurity for producing great 
> additional ClamAV signatures)
>
> ----- Original Message -----
> From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Sent: Thursday, July 19, 2007 8:16:07 PM (GMT) Europe/London
> Subject: Re: UNKNOWN CLAMD RETURN
>
> Sorry, forgot the attachment as usual!
>
> Julian Field wrote:
> > * PGP Signed: 07/19/07 at 19:50:56
> >
> > Please try the attached patch to SweepViruses.pm and let me know how
> > you get on.
> >
> > MailWatch may well not like it completely, as I changed "$part was" to
> > "headers were" so it will fail to match if Steve looks for "was", but
> > I'm sticking to English grammar, unless "the entire message was" works
> > better.
> >
> > Please try both and tell me if MailWatch is happy with "the entire
> > message was" and I'll change my code.
> >
> > Has someone actually got an entire message that triggers this code, so
> > that we can test it on a real message?
> >
> > Cheers,
> > Jules.
> >
> >
> > Julian Field wrote:
> >> > Old Signed: 07/19/07 at 19:12:27
> >>
> >>
> >>
> >> Rick Cooper wrote:
> >>>  
> >>>
> >>>  > -----Original Message-----
> >>>  > From: mailscanner-bounces at lists.mailscanner.info  >
> >>> [mailto:mailscanner-bounces at lists.mailscanner.info] On  > Behalf Of
> >>> UxBoD
> >>>  > Sent: Thursday, July 19, 2007 9:36 AM
> >>>  > To: MailScanner discussion
> >>>  > Subject: Re: UNKNOWN CLAMD RETURN
> >>>  >  > Not sure on that Rick as we do not use the reports.  In  >
> >>> MailWatch it shows as :-
> >>>  >  > Clamd: message.header was infected:  >
> >>> Email.Hdr.Sanesecurity.07061900 FOUND
> >>>  >  > so message.header could be changed to the word SPAM.
> >>>
> >>>
> >>> Do you know what happens to the message? The reason I ask is I can't
> >>> remember what MailScanner does to the message when it cannot find
> >>> $infections->{"$id"}{"$part"} in it's list of associated files (or
> >>> safnames
> >>> I think).
> >> To add a report for the entire message, set $part to "". So if you
> >> add a virus report for the whole message, then the whole message will
> >> be treated as infected. Whether adding this will require a slight
> >> change to MailWatch, I don't know. But that's the right way to do it.
> >> Very dangerous to add a report for an attachment filename that
> >> doesn't exist!
> >>
> >>>  It may pass the message untouched and it may remove the entire
> >>> body I just cannot remember what the reflex would be in this 
> situation.
> >>> Perhaps Julian can answer that. MailWatch is just looking for
> >>> something to
> >>> match the regex in functions.php (IIRC) but MailScanner may end up
> >>> delivering the message and I need to make sure that doesn't happen.
> >>>  
> >>
> >> Jules
> >>
> >
> > Jules
> >
>
> Jules
>
> -- 
> Julian Field MEng CITP
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
>
> MailScanner customisation, or any advanced system administration help?
> Contact me at Jules at Jules.FM
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> For all your IT requirements visit www.transtec.co.uk
>
>
> -- 
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean. 

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
Charset: UTF-8

wj8DBQFGoIuKEfZZRxQVtlQRAjgyAJ4wCb3qLBl23pEdBxxHF+Qb8Eci8QCcCDwu
w643K2td+bPwQioYCko2I6Q=
=n4Me
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list