Grreting card scams

Matt Kettler mkettler at evi-inc.com
Fri Jul 27 15:15:11 IST 2007


Glenn Steen wrote:
> On 27/07/07, Matt Kettler <mkettler at evi-inc.com> wrote:
>> Rick Cooper wrote:
>>
>> Given that running clamscan on the email file outside of MailScanner
>> detects it
>> as a virus, I've already conclusively proven clamav has the signature
>> and it
>> works properly.
>>
>> One observation, though, the specific test messages I used detected as
>> 1221 not
>> 1222, but they're all related.
>>
>> ecardspam1.eml: Email.Phishing.RB-1221 FOUND
>> ecardspam2.eml: Email.Phishing.RB-1221 FOUND
>> ecardspam3.eml: Email.Phishing.RB-1221 FOUND
>>
>> However, if you insist:
>> # sigtool --list-sigs|grep Email.Phishing.RB-1222
>> Email.Phishing.RB-1222
>>
>> Yes, it's there. Yes, clamscan can use it, and clamscan properly
>> detects the
>> messages as viruses when executed manually. No, clamav via MailScanner
>> cannot
>> detect it.
>>
> Could this perhaps have anything to do with how clam gets fed the
> message in MailScanner....? If I'm not completely senile (always a
> possibility:-), MS doesn't feed it the complete message, hence some
> newstyle sigs will never (be able to) trigger.

That goes back to my original statement that I felt that the difference had to
do with the fact that my MailScanner isn't up-to-date.

I'm quite convinced that this is a MailScanner interfacing issue, as it is quite
clear clamav is working properly outside MS.

(Note: Personally I don't have a problem with this "issue", I was merely joining
in and commenting on it hoping my observations could help others who do have
problems with it.)





More information about the MailScanner mailing list