UNKNOWN CLAMD RETURN

UxBoD uxbod at splatnix.net
Fri Jul 20 13:52:58 IST 2007


Okay,  Had to change the code, but now get in /var/log/messages :-

Jul 20 08:41:33 XXXXXX MailScanner[32693]: INFECTED:: Email.Hdr.Sanesecurity.07012400 FOUND :: ./DA5777CF28A.F0607/

and in MailWatch :-

Clamd: headers was infected: Email.Hdr.Sanesecurity.07012400 FOUND

Jules, I had to change were to was for it to display on the main message screen.  Plus fixed a type.

Updated patch is attached.

Cheers,


----- Original Message -----
From: "UxBoD" <uxbod at splatnix.net>
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Sent: Friday, July 20, 2007 1:09:46 PM (GMT) Europe/London
Subject: Re: UNKNOWN CLAMD RETURN

Okay get this now in MailWatch :-

Clamd: headers were infected:

but not filename after it.
----- Original Message -----
From: "Rick Cooper" <rcooper at dwford.com>
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Sent: Friday, July 20, 2007 12:38:43 PM (GMT) Europe/London
Subject: RE: UNKNOWN CLAMD RETURN

 

 > -----Original Message-----
 > From: mailscanner-bounces at lists.mailscanner.info 
 > [mailto:mailscanner-bounces at lists.mailscanner.info] On 
 > Behalf Of UxBoD
 > Sent: Friday, July 20, 2007 7:15 AM
 > To: MailScanner discussion
 > Subject: Re: UNKNOWN CLAMD RETURN
 > 
 > I put the original .pm back in and applied the patch. <slaps 
 > self round face as I patched my modified one :(>
 > 
 > This is what appears for a normal message :-
 > 
 > Clamd: msg-19428-1.html was infected: 
 > Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 FOUND
 > 
 > in maillog I get this :-
 > 
 > Jul 20 07:08:47 bianchi MailScanner[19442]: ERROR:: UNKNOWN 
 > CLAMD RETURN 
 > ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07
 > 051409 FOUND :: /var/spool/MailScanner/incoming/19442
 > 
 > Should I have left my original code in ?
 > 

The patch is off. This won't work
Matching ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07051409
FOUND
         ^ dot     ^ childname          filename
^rest

my ($dot,$childname,$filename,$rest) = split('/',$results);
if ($childname =~ /\.header$/ && $rest =~ /\sFOUND$/) {

Because $filename will match =~ /\sFOUND$/ and rest will be blank. Try

if ($childname =~ /\.header$/ && $filename =~ /\sFOUND$/) {





 > ----- Original Message -----
 > From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
 > To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
 > Sent: Friday, July 20, 2007 11:16:41 AM (GMT) Europe/London
 > Subject: Re: UNKNOWN CLAMD RETURN
 > 
 > -----BEGIN PGP SIGNED MESSAGE-----
 > Hash: SHA1
 > 
 > But can you try the exact wording I have in my infection 
 > message please? 
 > Does MailWatch handle that okay?
 > 
 > UxBoD wrote:
 > > All looks good Jules :D
 > >
 > > Output from MailWatch :-
 > >
 > > 20/07/07
 > > 02:52:38         XXXXXX at XXXXXX         XXXXXX at XXXXX.com    
 >      cialis 
 > > and viagra for Everyone!         2.5Kb         29.70         Spam
 > > Virus (Email.Hdr.Sanesecurity.07012400)
 > >
 > > cialis and viagra for Everyone!
 > > Size:        2.5Kb
 > > Anti-Virus/Dangerous Content Protection
 > > Virus:         Y
 > > Blocked File:         N
 > > Other Infection:         N
 > > Report:        Clamd: message.header was infected: 
 > > Email.Hdr.Sanesecurity.07012400 FOUND
 > >
 > > Now able to report against Viruses/Malware and SPAM :)
 > >
 > > Rank 	Virus 	Percentage of detection 	Count
 > > 1 	Email.Stk.Gen592.Sanesecurity.07071801.pdf 	
 > >   	 60%
 > >
 > > 	129
 > > 2 	Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 	
 > >   	 11%
 > >
 > > 	23
 > > 3 	Email.Spam.Gen1007.Sanesecurity.07071800 	
 > >   	 8%
 > >
 > > 	17
 > > 4 	Html.Loan.Gen006.Sanesecurity.06120200 	
 > >   	 8%
 > >
 > > 	17
 > > 5 	Email.Hdr.Sanesecurity.07012400 	
 > >   	 6%
 > >
 > > 	12
 > > 6 	Email.Spam.Gen465.Sanesecurity.07050603 	
 > >   	 2%
 > >
 > > 	5
 > > 7 	Html.Img.Gen013.Sanesecurity.06112900 	
 > >   	 2%
 > >
 > > 	5
 > > 8 	Html.Phishing.Bank.Rockv2Gen28.Sanesecurity.07061800 	
 > >   	 1%
 > >
 > > 	2
 > > 9 	Email.Spam.Gen595.Sanesecurity.07052401 	
 > >   	 1%
 > >
 > > 	2
 > > 10 	Email.Spam.Gen903.Sanesecurity.07062812 	
 > >   	 1%
 > >
 > > 	2
 > >
 > >
 > > Another chink in the armour of the commercial AV/AP 
 > solution that the 
 > > company I work for uses.  MailScanner should be taking it 
 > over *very* 
 > > soon now :D
 > >
 > > Thanks again to Rick and Jules. (and SaneSecurity for 
 > producing great 
 > > additional ClamAV signatures)
 > >
 > > ----- Original Message -----
 > > From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
 > > To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
 > > Sent: Thursday, July 19, 2007 8:16:07 PM (GMT) Europe/London
 > > Subject: Re: UNKNOWN CLAMD RETURN
 > >
 > > Sorry, forgot the attachment as usual!
 > >
 > > Julian Field wrote:
 > > > * PGP Signed: 07/19/07 at 19:50:56
 > > >
 > > > Please try the attached patch to SweepViruses.pm and let 
 > me know how
 > > > you get on.
 > > >
 > > > MailWatch may well not like it completely, as I changed 
 > "$part was" to
 > > > "headers were" so it will fail to match if Steve looks 
 > for "was", but
 > > > I'm sticking to English grammar, unless "the entire 
 > message was" works
 > > > better.
 > > >
 > > > Please try both and tell me if MailWatch is happy with 
 > "the entire
 > > > message was" and I'll change my code.
 > > >
 > > > Has someone actually got an entire message that triggers 
 > this code, so
 > > > that we can test it on a real message?
 > > >
 > > > Cheers,
 > > > Jules.
 > > >
 > > >
 > > > Julian Field wrote:
 > > >> > Old Signed: 07/19/07 at 19:12:27
 > > >>
 > > >>
 > > >>
 > > >> Rick Cooper wrote:
 > > >>>  
 > > >>>
 > > >>>  > -----Original Message-----
 > > >>>  > From: mailscanner-bounces at lists.mailscanner.info  >
 > > >>> [mailto:mailscanner-bounces at lists.mailscanner.info] On 
 >  > Behalf Of
 > > >>> UxBoD
 > > >>>  > Sent: Thursday, July 19, 2007 9:36 AM
 > > >>>  > To: MailScanner discussion
 > > >>>  > Subject: Re: UNKNOWN CLAMD RETURN
 > > >>>  >  > Not sure on that Rick as we do not use the 
 > reports.  In  >
 > > >>> MailWatch it shows as :-
 > > >>>  >  > Clamd: message.header was infected:  >
 > > >>> Email.Hdr.Sanesecurity.07061900 FOUND
 > > >>>  >  > so message.header could be changed to the word SPAM.
 > > >>>
 > > >>>
 > > >>> Do you know what happens to the message? The reason I 
 > ask is I can't
 > > >>> remember what MailScanner does to the message when it 
 > cannot find
 > > >>> $infections->{"$id"}{"$part"} in it's list of 
 > associated files (or
 > > >>> safnames
 > > >>> I think).
 > > >> To add a report for the entire message, set $part to 
 > "". So if you
 > > >> add a virus report for the whole message, then the 
 > whole message will
 > > >> be treated as infected. Whether adding this will 
 > require a slight
 > > >> change to MailWatch, I don't know. But that's the right 
 > way to do it.
 > > >> Very dangerous to add a report for an attachment filename that
 > > >> doesn't exist!
 > > >>
 > > >>>  It may pass the message untouched and it may remove the entire
 > > >>> body I just cannot remember what the reflex would be in this 
 > > situation.
 > > >>> Perhaps Julian can answer that. MailWatch is just looking for
 > > >>> something to
 > > >>> match the regex in functions.php (IIRC) but 
 > MailScanner may end up
 > > >>> delivering the message and I need to make sure that 
 > doesn't happen.
 > > >>>  
 > > >>
 > > >> Jules
 > > >>
 > > >
 > > > Jules
 > > >
 > >
 > > Jules
 > >
 > > -- 
 > > Julian Field MEng CITP
 > > www.MailScanner.info
 > > Buy the MailScanner book at www.MailScanner.info/store
 > >
 > > MailScanner customisation, or any advanced system 
 > administration help?
 > > Contact me at Jules at Jules.FM
 > >
 > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
 > > For all your IT requirements visit www.transtec.co.uk
 > >
 > >
 > > -- 
 > > This message has been scanned for viruses and
 > > dangerous content by *MailScanner* 
 > <http://www.mailscanner.info/>, and is
 > > believed to be clean. 
 > 
 > Jules
 > 
 > - -- 
 > Julian Field MEng CITP
 > www.MailScanner.info
 > Buy the MailScanner book at www.MailScanner.info/store
 > 
 > MailScanner customisation, or any advanced system 
 > administration help?
 > Contact me at Jules at Jules.FM
 > 
 > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
 > For all your IT requirements visit www.transtec.co.uk
 > 
 > 
 > -----BEGIN PGP SIGNATURE-----
 > Version: PGP Desktop 9.6.2 (Build 2014)
 > Charset: UTF-8
 > 
 > wj8DBQFGoIuKEfZZRxQVtlQRAjgyAJ4wCb3qLBl23pEdBxxHF+Qb8Eci8QCcCDwu
 > w643K2td+bPwQioYCko2I6Q=
 > =n4Me
 > -----END PGP SIGNATURE-----
 > 
 > -- 
 > This message has been scanned for viruses and
 > dangerous content by MailScanner, and is
 > believed to be clean.
 > For all your IT requirements visit www.transtec.co.uk
 > 
 > --
 > MailScanner mailing list
 > mailscanner at lists.mailscanner.info
 > http://lists.mailscanner.info/mailman/listinfo/mailscanner
 > 
 > Before posting, read http://wiki.mailscanner.info/posting
 > 
 > Support MailScanner development - buy the book off the website!
 > 
 > -- 
 > This message has been scanned for viruses and
 > dangerous content by MailScanner, and is
 > believed to be clean.
 > 
 > 
 > 
 > -- 
 > This message has been scanned for viruses and
 > dangerous content by MailScanner, and is
 > believed to be clean.
 > 
 > -- 
 > MailScanner mailing list
 > mailscanner at lists.mailscanner.info
 > http://lists.mailscanner.info/mailman/listinfo/mailscanner
 > 
 > Before posting, read http://wiki.mailscanner.info/posting
 > 
 > Support MailScanner development - buy the book off the website! 
 > 
 > --
 > This message has been scanned for viruses and
 > dangerous content by MailScanner, and is
 > believed to be clean.
 > 
 > 


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: SweepViruses.pm.patch
Type: text/x-patch
Size: 2253 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070720/4d511703/SweepViruses.pm.bin


More information about the MailScanner mailing list