Grreting card scams

Matt Kettler mkettler at evi-inc.com
Thu Jul 26 23:23:11 IST 2007


Rick Cooper wrote:

>  > -----Original Message-----
>  > From: mailscanner-bounces at lists.mailscanner.info 
>  > [mailto:mailscanner-bounces at lists.mailscanner.info] On 
>  > Behalf Of Matt Kettler
>  > 
>  > However, If I copy one of the messages back onto the server 
>  > and scan it with
>  > clamscan, clamscan does detect it as a virus.
>  > 
>  > However, none of them have ever been detected as a virus 
>  > while going through
>  > MailScanner. Ever. (I just searched all my postmaster 
>  > notices from MailScanner
>  > and the word "You've" doesn't appear in any of them, which 
>  > would be part of the
>  > subject-line quite.).
>  > 
>  > Note that my MailScanner setup does detect phishing signatures.
>  > 
>  > ie:
>  >     Report: ClamAV: msg-9454-234.html contains HTML.Phishing.Pay-36
>  >     Report: ClamAV: msg-17765-74.html contains Email.Phishing.RB-1260
>  > 
>  > But there are no Email.Phishing.RB-1222's in there anywhere.
>  > 
> 
> What do you get if you run
> 
> sigtool --list-sigs|grep Email.Phishing.RB-1222
> 
> Perhaps something amiss with the clamdb updates? Accidental dupe installs?
> 
> Rick

Given that running clamscan on the email file outside of MailScanner detects it
as a virus, I've already conclusively proven clamav has the signature and it
works properly.

One observation, though, the specific test messages I used detected as 1221 not
1222, but they're all related.

ecardspam1.eml: Email.Phishing.RB-1221 FOUND
ecardspam2.eml: Email.Phishing.RB-1221 FOUND
ecardspam3.eml: Email.Phishing.RB-1221 FOUND

However, if you insist:
# sigtool --list-sigs|grep Email.Phishing.RB-1222
Email.Phishing.RB-1222

Yes, it's there. Yes, clamscan can use it, and clamscan properly detects the
messages as viruses when executed manually. No, clamav via MailScanner cannot
detect it.













More information about the MailScanner mailing list