UNKNOWN CLAMD RETURN
Julian Field
MailScanner at ecs.soton.ac.uk
Fri Jul 20 13:50:39 IST 2007
Correct, there shouldn't be a filename, as there was no infected attachment.
What do you see in your maillog?
And what appears in the message in the outgoing queue if you tell it to
deliver virused messages.
UxBoD wrote:
> Okay get this now in MailWatch :-
>
> Clamd: headers were infected:
>
> but not filename after it.
> ----- Original Message -----
> From: "Rick Cooper" <rcooper at dwford.com>
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Sent: Friday, July 20, 2007 12:38:43 PM (GMT) Europe/London
> Subject: RE: UNKNOWN CLAMD RETURN
>
>
>
> > -----Original Message-----
> > From: mailscanner-bounces at lists.mailscanner.info
> > [mailto:mailscanner-bounces at lists.mailscanner.info] On
> > Behalf Of UxBoD
> > Sent: Friday, July 20, 2007 7:15 AM
> > To: MailScanner discussion
> > Subject: Re: UNKNOWN CLAMD RETURN
> >
> > I put the original .pm back in and applied the patch. <slaps
> > self round face as I patched my modified one :(>
> >
> > This is what appears for a normal message :-
> >
> > Clamd: msg-19428-1.html was infected:
> > Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 FOUND
> >
> > in maillog I get this :-
> >
> > Jul 20 07:08:47 bianchi MailScanner[19442]: ERROR:: UNKNOWN
> > CLAMD RETURN
> > ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07
> > 051409 FOUND :: /var/spool/MailScanner/incoming/19442
> >
> > Should I have left my original code in ?
> >
>
> The patch is off. This won't work
> Matching ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07051409
> FOUND
> ^ dot ^ childname filename
> ^rest
>
> my ($dot,$childname,$filename,$rest) = split('/',$results);
> if ($childname =~ /\.header$/ && $rest =~ /\sFOUND$/) {
>
> Because $filename will match =~ /\sFOUND$/ and rest will be blank. Try
>
> if ($childname =~ /\.header$/ && $filename =~ /\sFOUND$/) {
>
>
>
>
>
> > ----- Original Message -----
> > From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
> > To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> > Sent: Friday, July 20, 2007 11:16:41 AM (GMT) Europe/London
> > Subject: Re: UNKNOWN CLAMD RETURN
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > But can you try the exact wording I have in my infection
> > message please?
> > Does MailWatch handle that okay?
> >
> > UxBoD wrote:
> > > All looks good Jules :D
> > >
> > > Output from MailWatch :-
> > >
> > > 20/07/07
> > > 02:52:38 XXXXXX at XXXXXX XXXXXX at XXXXX.com
> > cialis
> > > and viagra for Everyone! 2.5Kb 29.70 Spam
> > > Virus (Email.Hdr.Sanesecurity.07012400)
> > >
> > > cialis and viagra for Everyone!
> > > Size: 2.5Kb
> > > Anti-Virus/Dangerous Content Protection
> > > Virus: Y
> > > Blocked File: N
> > > Other Infection: N
> > > Report: Clamd: message.header was infected:
> > > Email.Hdr.Sanesecurity.07012400 FOUND
> > >
> > > Now able to report against Viruses/Malware and SPAM :)
> > >
> > > Rank Virus Percentage of detection Count
> > > 1 Email.Stk.Gen592.Sanesecurity.07071801.pdf
> > > 60%
> > >
> > > 129
> > > 2 Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400
> > > 11%
> > >
> > > 23
> > > 3 Email.Spam.Gen1007.Sanesecurity.07071800
> > > 8%
> > >
> > > 17
> > > 4 Html.Loan.Gen006.Sanesecurity.06120200
> > > 8%
> > >
> > > 17
> > > 5 Email.Hdr.Sanesecurity.07012400
> > > 6%
> > >
> > > 12
> > > 6 Email.Spam.Gen465.Sanesecurity.07050603
> > > 2%
> > >
> > > 5
> > > 7 Html.Img.Gen013.Sanesecurity.06112900
> > > 2%
> > >
> > > 5
> > > 8 Html.Phishing.Bank.Rockv2Gen28.Sanesecurity.07061800
> > > 1%
> > >
> > > 2
> > > 9 Email.Spam.Gen595.Sanesecurity.07052401
> > > 1%
> > >
> > > 2
> > > 10 Email.Spam.Gen903.Sanesecurity.07062812
> > > 1%
> > >
> > > 2
> > >
> > >
> > > Another chink in the armour of the commercial AV/AP
> > solution that the
> > > company I work for uses. MailScanner should be taking it
> > over *very*
> > > soon now :D
> > >
> > > Thanks again to Rick and Jules. (and SaneSecurity for
> > producing great
> > > additional ClamAV signatures)
> > >
> > > ----- Original Message -----
> > > From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
> > > To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> > > Sent: Thursday, July 19, 2007 8:16:07 PM (GMT) Europe/London
> > > Subject: Re: UNKNOWN CLAMD RETURN
> > >
> > > Sorry, forgot the attachment as usual!
> > >
> > > Julian Field wrote:
> > > > * PGP Signed: 07/19/07 at 19:50:56
> > > >
> > > > Please try the attached patch to SweepViruses.pm and let
> > me know how
> > > > you get on.
> > > >
> > > > MailWatch may well not like it completely, as I changed
> > "$part was" to
> > > > "headers were" so it will fail to match if Steve looks
> > for "was", but
> > > > I'm sticking to English grammar, unless "the entire
> > message was" works
> > > > better.
> > > >
> > > > Please try both and tell me if MailWatch is happy with
> > "the entire
> > > > message was" and I'll change my code.
> > > >
> > > > Has someone actually got an entire message that triggers
> > this code, so
> > > > that we can test it on a real message?
> > > >
> > > > Cheers,
> > > > Jules.
> > > >
> > > >
> > > > Julian Field wrote:
> > > >> > Old Signed: 07/19/07 at 19:12:27
> > > >>
> > > >>
> > > >>
> > > >> Rick Cooper wrote:
> > > >>>
> > > >>>
> > > >>> > -----Original Message-----
> > > >>> > From: mailscanner-bounces at lists.mailscanner.info >
> > > >>> [mailto:mailscanner-bounces at lists.mailscanner.info] On
> > > Behalf Of
> > > >>> UxBoD
> > > >>> > Sent: Thursday, July 19, 2007 9:36 AM
> > > >>> > To: MailScanner discussion
> > > >>> > Subject: Re: UNKNOWN CLAMD RETURN
> > > >>> > > Not sure on that Rick as we do not use the
> > reports. In >
> > > >>> MailWatch it shows as :-
> > > >>> > > Clamd: message.header was infected: >
> > > >>> Email.Hdr.Sanesecurity.07061900 FOUND
> > > >>> > > so message.header could be changed to the word SPAM.
> > > >>>
> > > >>>
> > > >>> Do you know what happens to the message? The reason I
> > ask is I can't
> > > >>> remember what MailScanner does to the message when it
> > cannot find
> > > >>> $infections->{"$id"}{"$part"} in it's list of
> > associated files (or
> > > >>> safnames
> > > >>> I think).
> > > >> To add a report for the entire message, set $part to
> > "". So if you
> > > >> add a virus report for the whole message, then the
> > whole message will
> > > >> be treated as infected. Whether adding this will
> > require a slight
> > > >> change to MailWatch, I don't know. But that's the right
> > way to do it.
> > > >> Very dangerous to add a report for an attachment filename that
> > > >> doesn't exist!
> > > >>
> > > >>> It may pass the message untouched and it may remove the entire
> > > >>> body I just cannot remember what the reflex would be in this
> > > situation.
> > > >>> Perhaps Julian can answer that. MailWatch is just looking for
> > > >>> something to
> > > >>> match the regex in functions.php (IIRC) but
> > MailScanner may end up
> > > >>> delivering the message and I need to make sure that
> > doesn't happen.
> > > >>>
> > > >>
> > > >> Jules
> > > >>
> > > >
> > > > Jules
> > > >
> > >
> > > Jules
> > >
> > > --
> > > Julian Field MEng CITP
> > > www.MailScanner.info
> > > Buy the MailScanner book at www.MailScanner.info/store
> > >
> > > MailScanner customisation, or any advanced system
> > administration help?
> > > Contact me at Jules at Jules.FM
> > >
> > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > > For all your IT requirements visit www.transtec.co.uk
> > >
> > >
> > > --
> > > This message has been scanned for viruses and
> > > dangerous content by *MailScanner*
> > <http://www.mailscanner.info/>, and is
> > > believed to be clean.
> >
> > Jules
> >
> > - --
> > Julian Field MEng CITP
> > www.MailScanner.info
> > Buy the MailScanner book at www.MailScanner.info/store
> >
> > MailScanner customisation, or any advanced system
> > administration help?
> > Contact me at Jules at Jules.FM
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > For all your IT requirements visit www.transtec.co.uk
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP Desktop 9.6.2 (Build 2014)
> > Charset: UTF-8
> >
> > wj8DBQFGoIuKEfZZRxQVtlQRAjgyAJ4wCb3qLBl23pEdBxxHF+Qb8Eci8QCcCDwu
> > w643K2td+bPwQioYCko2I6Q=
> > =n4Me
> > -----END PGP SIGNATURE-----
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> > For all your IT requirements visit www.transtec.co.uk
> >
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> >
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
Jules
--
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk
More information about the MailScanner
mailing list