UNKNOWN CLAMD RETURN
UxBoD
uxbod at splatnix.net
Fri Jul 20 13:52:58 IST 2007
Okay, Had to change the code, but now get in /var/log/messages :-
Jul 20 08:41:33 XXXXXX MailScanner[32693]: INFECTED:: Email.Hdr.Sanesecurity.07012400 FOUND :: ./DA5777CF28A.F0607/
and in MailWatch :-
Clamd: headers was infected: Email.Hdr.Sanesecurity.07012400 FOUND
Jules, I had to change were to was for it to display on the main message screen. Plus fixed a type.
Updated patch is attached.
Cheers,
----- Original Message -----
From: "UxBoD" <uxbod at splatnix.net>
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Sent: Friday, July 20, 2007 1:09:46 PM (GMT) Europe/London
Subject: Re: UNKNOWN CLAMD RETURN
Okay get this now in MailWatch :-
Clamd: headers were infected:
but not filename after it.
----- Original Message -----
From: "Rick Cooper" <rcooper at dwford.com>
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Sent: Friday, July 20, 2007 12:38:43 PM (GMT) Europe/London
Subject: RE: UNKNOWN CLAMD RETURN
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On
> Behalf Of UxBoD
> Sent: Friday, July 20, 2007 7:15 AM
> To: MailScanner discussion
> Subject: Re: UNKNOWN CLAMD RETURN
>
> I put the original .pm back in and applied the patch. <slaps
> self round face as I patched my modified one :(>
>
> This is what appears for a normal message :-
>
> Clamd: msg-19428-1.html was infected:
> Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 FOUND
>
> in maillog I get this :-
>
> Jul 20 07:08:47 bianchi MailScanner[19442]: ERROR:: UNKNOWN
> CLAMD RETURN
> ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07
> 051409 FOUND :: /var/spool/MailScanner/incoming/19442
>
> Should I have left my original code in ?
>
The patch is off. This won't work
Matching ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07051409
FOUND
^ dot ^ childname filename
^rest
my ($dot,$childname,$filename,$rest) = split('/',$results);
if ($childname =~ /\.header$/ && $rest =~ /\sFOUND$/) {
Because $filename will match =~ /\sFOUND$/ and rest will be blank. Try
if ($childname =~ /\.header$/ && $filename =~ /\sFOUND$/) {
> ----- Original Message -----
> From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Sent: Friday, July 20, 2007 11:16:41 AM (GMT) Europe/London
> Subject: Re: UNKNOWN CLAMD RETURN
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> But can you try the exact wording I have in my infection
> message please?
> Does MailWatch handle that okay?
>
> UxBoD wrote:
> > All looks good Jules :D
> >
> > Output from MailWatch :-
> >
> > 20/07/07
> > 02:52:38 XXXXXX at XXXXXX XXXXXX at XXXXX.com
> cialis
> > and viagra for Everyone! 2.5Kb 29.70 Spam
> > Virus (Email.Hdr.Sanesecurity.07012400)
> >
> > cialis and viagra for Everyone!
> > Size: 2.5Kb
> > Anti-Virus/Dangerous Content Protection
> > Virus: Y
> > Blocked File: N
> > Other Infection: N
> > Report: Clamd: message.header was infected:
> > Email.Hdr.Sanesecurity.07012400 FOUND
> >
> > Now able to report against Viruses/Malware and SPAM :)
> >
> > Rank Virus Percentage of detection Count
> > 1 Email.Stk.Gen592.Sanesecurity.07071801.pdf
> > 60%
> >
> > 129
> > 2 Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400
> > 11%
> >
> > 23
> > 3 Email.Spam.Gen1007.Sanesecurity.07071800
> > 8%
> >
> > 17
> > 4 Html.Loan.Gen006.Sanesecurity.06120200
> > 8%
> >
> > 17
> > 5 Email.Hdr.Sanesecurity.07012400
> > 6%
> >
> > 12
> > 6 Email.Spam.Gen465.Sanesecurity.07050603
> > 2%
> >
> > 5
> > 7 Html.Img.Gen013.Sanesecurity.06112900
> > 2%
> >
> > 5
> > 8 Html.Phishing.Bank.Rockv2Gen28.Sanesecurity.07061800
> > 1%
> >
> > 2
> > 9 Email.Spam.Gen595.Sanesecurity.07052401
> > 1%
> >
> > 2
> > 10 Email.Spam.Gen903.Sanesecurity.07062812
> > 1%
> >
> > 2
> >
> >
> > Another chink in the armour of the commercial AV/AP
> solution that the
> > company I work for uses. MailScanner should be taking it
> over *very*
> > soon now :D
> >
> > Thanks again to Rick and Jules. (and SaneSecurity for
> producing great
> > additional ClamAV signatures)
> >
> > ----- Original Message -----
> > From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
> > To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> > Sent: Thursday, July 19, 2007 8:16:07 PM (GMT) Europe/London
> > Subject: Re: UNKNOWN CLAMD RETURN
> >
> > Sorry, forgot the attachment as usual!
> >
> > Julian Field wrote:
> > > * PGP Signed: 07/19/07 at 19:50:56
> > >
> > > Please try the attached patch to SweepViruses.pm and let
> me know how
> > > you get on.
> > >
> > > MailWatch may well not like it completely, as I changed
> "$part was" to
> > > "headers were" so it will fail to match if Steve looks
> for "was", but
> > > I'm sticking to English grammar, unless "the entire
> message was" works
> > > better.
> > >
> > > Please try both and tell me if MailWatch is happy with
> "the entire
> > > message was" and I'll change my code.
> > >
> > > Has someone actually got an entire message that triggers
> this code, so
> > > that we can test it on a real message?
> > >
> > > Cheers,
> > > Jules.
> > >
> > >
> > > Julian Field wrote:
> > >> > Old Signed: 07/19/07 at 19:12:27
> > >>
> > >>
> > >>
> > >> Rick Cooper wrote:
> > >>>
> > >>>
> > >>> > -----Original Message-----
> > >>> > From: mailscanner-bounces at lists.mailscanner.info >
> > >>> [mailto:mailscanner-bounces at lists.mailscanner.info] On
> > Behalf Of
> > >>> UxBoD
> > >>> > Sent: Thursday, July 19, 2007 9:36 AM
> > >>> > To: MailScanner discussion
> > >>> > Subject: Re: UNKNOWN CLAMD RETURN
> > >>> > > Not sure on that Rick as we do not use the
> reports. In >
> > >>> MailWatch it shows as :-
> > >>> > > Clamd: message.header was infected: >
> > >>> Email.Hdr.Sanesecurity.07061900 FOUND
> > >>> > > so message.header could be changed to the word SPAM.
> > >>>
> > >>>
> > >>> Do you know what happens to the message? The reason I
> ask is I can't
> > >>> remember what MailScanner does to the message when it
> cannot find
> > >>> $infections->{"$id"}{"$part"} in it's list of
> associated files (or
> > >>> safnames
> > >>> I think).
> > >> To add a report for the entire message, set $part to
> "". So if you
> > >> add a virus report for the whole message, then the
> whole message will
> > >> be treated as infected. Whether adding this will
> require a slight
> > >> change to MailWatch, I don't know. But that's the right
> way to do it.
> > >> Very dangerous to add a report for an attachment filename that
> > >> doesn't exist!
> > >>
> > >>> It may pass the message untouched and it may remove the entire
> > >>> body I just cannot remember what the reflex would be in this
> > situation.
> > >>> Perhaps Julian can answer that. MailWatch is just looking for
> > >>> something to
> > >>> match the regex in functions.php (IIRC) but
> MailScanner may end up
> > >>> delivering the message and I need to make sure that
> doesn't happen.
> > >>>
> > >>
> > >> Jules
> > >>
> > >
> > > Jules
> > >
> >
> > Jules
> >
> > --
> > Julian Field MEng CITP
> > www.MailScanner.info
> > Buy the MailScanner book at www.MailScanner.info/store
> >
> > MailScanner customisation, or any advanced system
> administration help?
> > Contact me at Jules at Jules.FM
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > For all your IT requirements visit www.transtec.co.uk
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by *MailScanner*
> <http://www.mailscanner.info/>, and is
> > believed to be clean.
>
> Jules
>
> - --
> Julian Field MEng CITP
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
>
> MailScanner customisation, or any advanced system
> administration help?
> Contact me at Jules at Jules.FM
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> For all your IT requirements visit www.transtec.co.uk
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.6.2 (Build 2014)
> Charset: UTF-8
>
> wj8DBQFGoIuKEfZZRxQVtlQRAjgyAJ4wCb3qLBl23pEdBxxHF+Qb8Eci8QCcCDwu
> w643K2td+bPwQioYCko2I6Q=
> =n4Me
> -----END PGP SIGNATURE-----
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> For all your IT requirements visit www.transtec.co.uk
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SweepViruses.pm.patch
Type: text/x-patch
Size: 2253 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070720/4d511703/SweepViruses.pm.bin
More information about the MailScanner
mailing list