Grreting card scams

Doc Schneider doc at maddoc.net
Thu Jul 26 23:51:06 IST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Glenn Steen wrote:
> On 27/07/07, Matt Kettler <mkettler at evi-inc.com> wrote:
>> Rick Cooper wrote:
>>
>> >  > -----Original Message-----
>> >  > From: mailscanner-bounces at lists.mailscanner.info
>> >  > [mailto:mailscanner-bounces at lists.mailscanner.info] On
>> >  > Behalf Of Matt Kettler
>> >  >
>> >  > However, If I copy one of the messages back onto the server
>> >  > and scan it with
>> >  > clamscan, clamscan does detect it as a virus.
>> >  >
>> >  > However, none of them have ever been detected as a virus
>> >  > while going through
>> >  > MailScanner. Ever. (I just searched all my postmaster
>> >  > notices from MailScanner
>> >  > and the word "You've" doesn't appear in any of them, which
>> >  > would be part of the
>> >  > subject-line quite.).
>> >  >
>> >  > Note that my MailScanner setup does detect phishing signatures.
>> >  >
>> >  > ie:
>> >  >     Report: ClamAV: msg-9454-234.html contains HTML.Phishing.Pay-36
>> >  >     Report: ClamAV: msg-17765-74.html contains
>> Email.Phishing.RB-1260
>> >  >
>> >  > But there are no Email.Phishing.RB-1222's in there anywhere.
>> >  >
>> >
>> > What do you get if you run
>> >
>> > sigtool --list-sigs|grep Email.Phishing.RB-1222
>> >
>> > Perhaps something amiss with the clamdb updates? Accidental dupe
>> installs?
>> >
>> > Rick
>>
>> Given that running clamscan on the email file outside of MailScanner
>> detects it
>> as a virus, I've already conclusively proven clamav has the signature
>> and it
>> works properly.
>>
>> One observation, though, the specific test messages I used detected as
>> 1221 not
>> 1222, but they're all related.
>>
>> ecardspam1.eml: Email.Phishing.RB-1221 FOUND
>> ecardspam2.eml: Email.Phishing.RB-1221 FOUND
>> ecardspam3.eml: Email.Phishing.RB-1221 FOUND
>>
>> However, if you insist:
>> # sigtool --list-sigs|grep Email.Phishing.RB-1222
>> Email.Phishing.RB-1222
>>
>> Yes, it's there. Yes, clamscan can use it, and clamscan properly
>> detects the
>> messages as viruses when executed manually. No, clamav via MailScanner
>> cannot
>> detect it.
>>
> Could this perhaps have anything to do with how clam gets fed the
> message in MailScanner....? If I'm not completely senile (always a
> possibility:-), MS doesn't feed it the complete message, hence some
> newstyle sigs will never (be able to) trigger.
> 
> Cheers

This makes sense... or else we know Jules has been into the
"Guiness(sic)" again! HAR!

- --
- -Doc
Lincoln, NE.
http://www.genealogyforyou.com/
http://www.cairnproductions.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iD8DBQFGqSVaqOEeBwEpgcsRAtp1AJsFDG1AQYOI5Foxfy5rNrD06ZDy2wCZAfMF
WQCbBM2nqqKrHxIu3aNi+Ks=
=bX2c
-----END PGP SIGNATURE-----


More information about the MailScanner mailing list