UNKNOWN CLAMD RETURN

UxBoD uxbod at splatnix.net
Fri Jul 20 14:01:50 IST 2007


True about "In truth this message does not contain a virus, it's spam." but ClamAV also detects SPAM in the body of the message, so headers should be treated in the same manner.

All appears to be working a treat now, and it means additional virri/spam reporting can be achieved.
----- Original Message -----
From: "Rick Cooper" <rcooper at dwford.com>
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Sent: Friday, July 20, 2007 1:52:46 PM (GMT) Europe/London
Subject: RE: UNKNOWN CLAMD RETURN

 

 > -----Original Message-----
 > From: mailscanner-bounces at lists.mailscanner.info 
 > [mailto:mailscanner-bounces at lists.mailscanner.info] On 
 > Behalf Of UxBoD
 > Sent: Friday, July 20, 2007 8:10 AM
 > To: MailScanner discussion
 > Subject: Re: UNKNOWN CLAMD RETURN
 > 
 > Okay get this now in MailWatch :-
 > 
 > Clamd: headers were infected:
I assume that MailScanner is now catching and logging correctly?

 > 
 > but not filename after it.

That is because filename was set to blank as message header was the source
of the hit not a *file*. See without the sane sigs this would be caught (or
not) by SpamAssassin and neither MailScanner nor MailWatch were designed
with A/V flagging a spam message with a virus sig. The report in MailScanner
would state that the file was "The Entire Message". In truth this message
does not contain a virus, it's spam.

Julian, when a message is exploded and the safename is used and is infected
the filename returned is mapped to the original name from the safename,
correct? How much trouble would it be to automatically add a psuedo filename
such as SPAM to the $this->{safefile2file}{$safename} or {file2parent}{} = ?
Would using a psudeo file name cause issues elsewhere?

I have not run into any of these SaneSecurity header hits with MS because
exim refuses them at delivery (because clamd is run on all incoming messages
during the data phase).

Rick


 > ----- Original Message -----
 > From: "Rick Cooper" <rcooper at dwford.com>
 > To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
 > Sent: Friday, July 20, 2007 12:38:43 PM (GMT) Europe/London
 > Subject: RE: UNKNOWN CLAMD RETURN
 > 
 >  
 > 
 >  > -----Original Message-----
 >  > From: mailscanner-bounces at lists.mailscanner.info 
 >  > [mailto:mailscanner-bounces at lists.mailscanner.info] On 
 >  > Behalf Of UxBoD
 >  > Sent: Friday, July 20, 2007 7:15 AM
 >  > To: MailScanner discussion
 >  > Subject: Re: UNKNOWN CLAMD RETURN
 >  > 
 >  > I put the original .pm back in and applied the patch. <slaps 
 >  > self round face as I patched my modified one :(>
 >  > 
 >  > This is what appears for a normal message :-
 >  > 
 >  > Clamd: msg-19428-1.html was infected: 
 >  > Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 FOUND
 >  > 
 >  > in maillog I get this :-
 >  > 
 >  > Jul 20 07:08:47 bianchi MailScanner[19442]: ERROR:: UNKNOWN 
 >  > CLAMD RETURN 
 >  > ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07
 >  > 051409 FOUND :: /var/spool/MailScanner/incoming/19442
 >  > 
 >  > Should I have left my original code in ?
 >  > 
 > 
 > The patch is off. This won't work
 > Matching 
 > ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07051409
 > FOUND
 >          ^ dot     ^ childname          filename
 > ^rest
 > 
 > my ($dot,$childname,$filename,$rest) = split('/',$results);
 > if ($childname =~ /\.header$/ && $rest =~ /\sFOUND$/) {
 > 
 > Because $filename will match =~ /\sFOUND$/ and rest will be 
 > blank. Try
 > 
 > if ($childname =~ /\.header$/ && $filename =~ /\sFOUND$/) {
 > 
 > 
 > 
 > 
 > 
 >  > ----- Original Message -----
 >  > From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
 >  > To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
 >  > Sent: Friday, July 20, 2007 11:16:41 AM (GMT) Europe/London
 >  > Subject: Re: UNKNOWN CLAMD RETURN
 >  > 
 >  > -----BEGIN PGP SIGNED MESSAGE-----
 >  > Hash: SHA1
 >  > 
 >  > But can you try the exact wording I have in my infection 
 >  > message please? 
 >  > Does MailWatch handle that okay?
 >  > 
 >  > UxBoD wrote:
 >  > > All looks good Jules :D
 >  > >
 >  > > Output from MailWatch :-
 >  > >
 >  > > 20/07/07
 >  > > 02:52:38         XXXXXX at XXXXXX         XXXXXX at XXXXX.com    
 >  >      cialis 
 >  > > and viagra for Everyone!         2.5Kb         29.70    
 >      Spam
 >  > > Virus (Email.Hdr.Sanesecurity.07012400)
 >  > >
 >  > > cialis and viagra for Everyone!
 >  > > Size:        2.5Kb
 >  > > Anti-Virus/Dangerous Content Protection
 >  > > Virus:         Y
 >  > > Blocked File:         N
 >  > > Other Infection:         N
 >  > > Report:        Clamd: message.header was infected: 
 >  > > Email.Hdr.Sanesecurity.07012400 FOUND
 >  > >
 >  > > Now able to report against Viruses/Malware and SPAM :)
 >  > >
 >  > > Rank 	Virus 	Percentage of detection 	Count
 >  > > 1 	Email.Stk.Gen592.Sanesecurity.07071801.pdf 	
 >  > >   	 60%
 >  > >
 >  > > 	129
 >  > > 2 	Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 	
 >  > >   	 11%
 >  > >
 >  > > 	23
 >  > > 3 	Email.Spam.Gen1007.Sanesecurity.07071800 	
 >  > >   	 8%
 >  > >
 >  > > 	17
 >  > > 4 	Html.Loan.Gen006.Sanesecurity.06120200 	
 >  > >   	 8%
 >  > >
 >  > > 	17
 >  > > 5 	Email.Hdr.Sanesecurity.07012400 	
 >  > >   	 6%
 >  > >
 >  > > 	12
 >  > > 6 	Email.Spam.Gen465.Sanesecurity.07050603 	
 >  > >   	 2%
 >  > >
 >  > > 	5
 >  > > 7 	Html.Img.Gen013.Sanesecurity.06112900 	
 >  > >   	 2%
 >  > >
 >  > > 	5
 >  > > 8 	Html.Phishing.Bank.Rockv2Gen28.Sanesecurity.07061800 	
 >  > >   	 1%
 >  > >
 >  > > 	2
 >  > > 9 	Email.Spam.Gen595.Sanesecurity.07052401 	
 >  > >   	 1%
 >  > >
 >  > > 	2
 >  > > 10 	Email.Spam.Gen903.Sanesecurity.07062812 	
 >  > >   	 1%
 >  > >
 >  > > 	2
 >  > >
 >  > >
 >  > > Another chink in the armour of the commercial AV/AP 
 >  > solution that the 
 >  > > company I work for uses.  MailScanner should be taking it 
 >  > over *very* 
 >  > > soon now :D
 >  > >
 >  > > Thanks again to Rick and Jules. (and SaneSecurity for 
 >  > producing great 
 >  > > additional ClamAV signatures)
 >  > >
 >  > > ----- Original Message -----
 >  > > From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
 >  > > To: "MailScanner discussion" 
 > <mailscanner at lists.mailscanner.info>
 >  > > Sent: Thursday, July 19, 2007 8:16:07 PM (GMT) Europe/London
 >  > > Subject: Re: UNKNOWN CLAMD RETURN
 >  > >
 >  > > Sorry, forgot the attachment as usual!
 >  > >
 >  > > Julian Field wrote:
 >  > > > * PGP Signed: 07/19/07 at 19:50:56
 >  > > >
 >  > > > Please try the attached patch to SweepViruses.pm and let 
 >  > me know how
 >  > > > you get on.
 >  > > >
 >  > > > MailWatch may well not like it completely, as I changed 
 >  > "$part was" to
 >  > > > "headers were" so it will fail to match if Steve looks 
 >  > for "was", but
 >  > > > I'm sticking to English grammar, unless "the entire 
 >  > message was" works
 >  > > > better.
 >  > > >
 >  > > > Please try both and tell me if MailWatch is happy with 
 >  > "the entire
 >  > > > message was" and I'll change my code.
 >  > > >
 >  > > > Has someone actually got an entire message that triggers 
 >  > this code, so
 >  > > > that we can test it on a real message?
 >  > > >
 >  > > > Cheers,
 >  > > > Jules.
 >  > > >
 >  > > >
 >  > > > Julian Field wrote:
 >  > > >> > Old Signed: 07/19/07 at 19:12:27
 >  > > >>
 >  > > >>
 >  > > >>
 >  > > >> Rick Cooper wrote:
 >  > > >>>  
 >  > > >>>
 >  > > >>>  > -----Original Message-----
 >  > > >>>  > From: mailscanner-bounces at lists.mailscanner.info  >
 >  > > >>> [mailto:mailscanner-bounces at lists.mailscanner.info] On 
 >  >  > Behalf Of
 >  > > >>> UxBoD
 >  > > >>>  > Sent: Thursday, July 19, 2007 9:36 AM
 >  > > >>>  > To: MailScanner discussion
 >  > > >>>  > Subject: Re: UNKNOWN CLAMD RETURN
 >  > > >>>  >  > Not sure on that Rick as we do not use the 
 >  > reports.  In  >
 >  > > >>> MailWatch it shows as :-
 >  > > >>>  >  > Clamd: message.header was infected:  >
 >  > > >>> Email.Hdr.Sanesecurity.07061900 FOUND
 >  > > >>>  >  > so message.header could be changed to the word SPAM.
 >  > > >>>
 >  > > >>>
 >  > > >>> Do you know what happens to the message? The reason I 
 >  > ask is I can't
 >  > > >>> remember what MailScanner does to the message when it 
 >  > cannot find
 >  > > >>> $infections->{"$id"}{"$part"} in it's list of 
 >  > associated files (or
 >  > > >>> safnames
 >  > > >>> I think).
 >  > > >> To add a report for the entire message, set $part to 
 >  > "". So if you
 >  > > >> add a virus report for the whole message, then the 
 >  > whole message will
 >  > > >> be treated as infected. Whether adding this will 
 >  > require a slight
 >  > > >> change to MailWatch, I don't know. But that's the right 
 >  > way to do it.
 >  > > >> Very dangerous to add a report for an attachment 
 > filename that
 >  > > >> doesn't exist!
 >  > > >>
 >  > > >>>  It may pass the message untouched and it may 
 > remove the entire
 >  > > >>> body I just cannot remember what the reflex would 
 > be in this 
 >  > > situation.
 >  > > >>> Perhaps Julian can answer that. MailWatch is just 
 > looking for
 >  > > >>> something to
 >  > > >>> match the regex in functions.php (IIRC) but 
 >  > MailScanner may end up
 >  > > >>> delivering the message and I need to make sure that 
 >  > doesn't happen.
 >  > > >>>  
 >  > > >>
 >  > > >> Jules
 >  > > >>
 >  > > >
 >  > > > Jules
 >  > > >
 >  > >
 >  > > Jules
 >  > >
 >  > > -- 
 >  > > Julian Field MEng CITP
 >  > > www.MailScanner.info
 >  > > Buy the MailScanner book at www.MailScanner.info/store
 >  > >
 >  > > MailScanner customisation, or any advanced system 
 >  > administration help?
 >  > > Contact me at Jules at Jules.FM
 >  > >
 >  > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
 >  > > For all your IT requirements visit www.transtec.co.uk
 >  > >
 >  > >
 >  > > -- 
 >  > > This message has been scanned for viruses and
 >  > > dangerous content by *MailScanner* 
 >  > <http://www.mailscanner.info/>, and is
 >  > > believed to be clean. 
 >  > 
 >  > Jules
 >  > 
 >  > - -- 
 >  > Julian Field MEng CITP
 >  > www.MailScanner.info
 >  > Buy the MailScanner book at www.MailScanner.info/store
 >  > 
 >  > MailScanner customisation, or any advanced system 
 >  > administration help?
 >  > Contact me at Jules at Jules.FM
 >  > 
 >  > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
 >  > For all your IT requirements visit www.transtec.co.uk
 >  > 
 >  > 
 >  > -----BEGIN PGP SIGNATURE-----
 >  > Version: PGP Desktop 9.6.2 (Build 2014)
 >  > Charset: UTF-8
 >  > 
 >  > wj8DBQFGoIuKEfZZRxQVtlQRAjgyAJ4wCb3qLBl23pEdBxxHF+Qb8Eci8QCcCDwu
 >  > w643K2td+bPwQioYCko2I6Q=
 >  > =n4Me
 >  > -----END PGP SIGNATURE-----
 >  > 
 >  > -- 
 >  > This message has been scanned for viruses and
 >  > dangerous content by MailScanner, and is
 >  > believed to be clean.
 >  > For all your IT requirements visit www.transtec.co.uk
 >  > 
 >  > --
 >  > MailScanner mailing list
 >  > mailscanner at lists.mailscanner.info
 >  > http://lists.mailscanner.info/mailman/listinfo/mailscanner
 >  > 
 >  > Before posting, read http://wiki.mailscanner.info/posting
 >  > 
 >  > Support MailScanner development - buy the book off the website!
 >  > 
 >  > -- 
 >  > This message has been scanned for viruses and
 >  > dangerous content by MailScanner, and is
 >  > believed to be clean.
 >  > 
 >  > 
 >  > 
 >  > -- 
 >  > This message has been scanned for viruses and
 >  > dangerous content by MailScanner, and is
 >  > believed to be clean.
 >  > 
 >  > -- 
 >  > MailScanner mailing list
 >  > mailscanner at lists.mailscanner.info
 >  > http://lists.mailscanner.info/mailman/listinfo/mailscanner
 >  > 
 >  > Before posting, read http://wiki.mailscanner.info/posting
 >  > 
 >  > Support MailScanner development - buy the book off the website! 
 >  > 
 >  > --
 >  > This message has been scanned for viruses and
 >  > dangerous content by MailScanner, and is
 >  > believed to be clean.
 >  > 
 >  > 
 > 
 > 
 > --
 > This message has been scanned for viruses and
 > dangerous content by MailScanner, and is
 > believed to be clean.
 > 
 > 
 > -- 
 > MailScanner mailing list
 > mailscanner at lists.mailscanner.info
 > http://lists.mailscanner.info/mailman/listinfo/mailscanner
 > 
 > Before posting, read http://wiki.mailscanner.info/posting
 > 
 > Support MailScanner development - buy the book off the website! 
 > 
 > -- 
 > This message has been scanned for viruses and
 > dangerous content by MailScanner, and is
 > believed to be clean.
 > 
 > 
 > 
 > -- 
 > This message has been scanned for viruses and
 > dangerous content by MailScanner, and is
 > believed to be clean.
 > 
 > -- 
 > MailScanner mailing list
 > mailscanner at lists.mailscanner.info
 > http://lists.mailscanner.info/mailman/listinfo/mailscanner
 > 
 > Before posting, read http://wiki.mailscanner.info/posting
 > 
 > Support MailScanner development - buy the book off the website! 
 > 
 > --
 > This message has been scanned for viruses and
 > dangerous content by MailScanner, and is
 > believed to be clean.
 > 
 > 


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list