Grreting card scams

Glenn Steen glenn.steen at gmail.com
Thu Jul 26 23:42:44 IST 2007 

On 27/07/07, Matt Kettler <mkettler at evi-inc.com> wrote:
> Rick Cooper wrote:
>
> >  > -----Original Message-----
> >  > From: mailscanner-bounces at lists.mailscanner.info
> >  > [mailto:mailscanner-bounces at lists.mailscanner.info] On
> >  > Behalf Of Matt Kettler
> >  >
> >  > However, If I copy one of the messages back onto the server
> >  > and scan it with
> >  > clamscan, clamscan does detect it as a virus.
> >  >
> >  > However, none of them have ever been detected as a virus
> >  > while going through
> >  > MailScanner. Ever. (I just searched all my postmaster
> >  > notices from MailScanner
> >  > and the word "You've" doesn't appear in any of them, which
> >  > would be part of the
> >  > subject-line quite.).
> >  >
> >  > Note that my MailScanner setup does detect phishing signatures.
> >  >
> >  > ie:
> >  >     Report: ClamAV: msg-9454-234.html contains HTML.Phishing.Pay-36
> >  >     Report: ClamAV: msg-17765-74.html contains Email.Phishing.RB-1260
> >  >
> >  > But there are no Email.Phishing.RB-1222's in there anywhere.
> >  >
> >
> > What do you get if you run
> >
> > sigtool --list-sigs|grep Email.Phishing.RB-1222
> >
> > Perhaps something amiss with the clamdb updates? Accidental dupe installs?
> >
> > Rick
>
> Given that running clamscan on the email file outside of MailScanner detects it
> as a virus, I've already conclusively proven clamav has the signature and it
> works properly.
>
> One observation, though, the specific test messages I used detected as 1221 not
> 1222, but they're all related.
>
> ecardspam1.eml: Email.Phishing.RB-1221 FOUND
> ecardspam2.eml: Email.Phishing.RB-1221 FOUND
> ecardspam3.eml: Email.Phishing.RB-1221 FOUND
>
> However, if you insist:
> # sigtool --list-sigs|grep Email.Phishing.RB-1222
> Email.Phishing.RB-1222
>
> Yes, it's there. Yes, clamscan can use it, and clamscan properly detects the
> messages as viruses when executed manually. No, clamav via MailScanner cannot
> detect it.
>
Could this perhaps have anything to do with how clam gets fed the
message in MailScanner....? If I'm not completely senile (always a
possibility:-), MS doesn't feed it the complete message, hence some
newstyle sigs will never (be able to) trigger.

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list