Grreting card scams
Doc Schneider
doc at maddoc.net
Thu Jul 26 23:51:06 IST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Glenn Steen wrote:
> On 27/07/07, Matt Kettler <mkettler at evi-inc.com> wrote:
>> Rick Cooper wrote:
>>
>> > > -----Original Message-----
>> > > From: mailscanner-bounces at lists.mailscanner.info
>> > > [mailto:mailscanner-bounces at lists.mailscanner.info] On
>> > > Behalf Of Matt Kettler
>> > >
>> > > However, If I copy one of the messages back onto the server
>> > > and scan it with
>> > > clamscan, clamscan does detect it as a virus.
>> > >
>> > > However, none of them have ever been detected as a virus
>> > > while going through
>> > > MailScanner. Ever. (I just searched all my postmaster
>> > > notices from MailScanner
>> > > and the word "You've" doesn't appear in any of them, which
>> > > would be part of the
>> > > subject-line quite.).
>> > >
>> > > Note that my MailScanner setup does detect phishing signatures.
>> > >
>> > > ie:
>> > > Report: ClamAV: msg-9454-234.html contains HTML.Phishing.Pay-36
>> > > Report: ClamAV: msg-17765-74.html contains
>> Email.Phishing.RB-1260
>> > >
>> > > But there are no Email.Phishing.RB-1222's in there anywhere.
>> > >
>> >
>> > What do you get if you run
>> >
>> > sigtool --list-sigs|grep Email.Phishing.RB-1222
>> >
>> > Perhaps something amiss with the clamdb updates? Accidental dupe
>> installs?
>> >
>> > Rick
>>
>> Given that running clamscan on the email file outside of MailScanner
>> detects it
>> as a virus, I've already conclusively proven clamav has the signature
>> and it
>> works properly.
>>
>> One observation, though, the specific test messages I used detected as
>> 1221 not
>> 1222, but they're all related.
>>
>> ecardspam1.eml: Email.Phishing.RB-1221 FOUND
>> ecardspam2.eml: Email.Phishing.RB-1221 FOUND
>> ecardspam3.eml: Email.Phishing.RB-1221 FOUND
>>
>> However, if you insist:
>> # sigtool --list-sigs|grep Email.Phishing.RB-1222
>> Email.Phishing.RB-1222
>>
>> Yes, it's there. Yes, clamscan can use it, and clamscan properly
>> detects the
>> messages as viruses when executed manually. No, clamav via MailScanner
>> cannot
>> detect it.
>>
> Could this perhaps have anything to do with how clam gets fed the
> message in MailScanner....? If I'm not completely senile (always a
> possibility:-), MS doesn't feed it the complete message, hence some
> newstyle sigs will never (be able to) trigger.
>
> Cheers
This makes sense... or else we know Jules has been into the
"Guiness(sic)" again! HAR!
- --
- -Doc
Lincoln, NE.
http://www.genealogyforyou.com/
http://www.cairnproductions.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org
iD8DBQFGqSVaqOEeBwEpgcsRAtp1AJsFDG1AQYOI5Foxfy5rNrD06ZDy2wCZAfMF
WQCbBM2nqqKrHxIu3aNi+Ks=
=bX2c
-----END PGP SIGNATURE-----
More information about the MailScanner
mailing list