Grreting card scams

[Richard Frovarp]

Matt Kettler wrote:
> Glenn Steen wrote:
>   
>> On 27/07/07, Matt Kettler <mkettler at evi-inc.com> wrote:
>>     
>>> Rick Cooper wrote:
>>>
>>> Given that running clamscan on the email file outside of MailScanner
>>> detects it
>>> as a virus, I've already conclusively proven clamav has the signature
>>> and it
>>> works properly.
>>>
>>> One observation, though, the specific test messages I used detected as
>>> 1221 not
>>> 1222, but they're all related.
>>>
>>> ecardspam1.eml: Email.Phishing.RB-1221 FOUND
>>> ecardspam2.eml: Email.Phishing.RB-1221 FOUND
>>> ecardspam3.eml: Email.Phishing.RB-1221 FOUND
>>>
>>> However, if you insist:
>>> # sigtool --list-sigs|grep Email.Phishing.RB-1222
>>> Email.Phishing.RB-1222
>>>
>>> Yes, it's there. Yes, clamscan can use it, and clamscan properly
>>> detects the
>>> messages as viruses when executed manually. No, clamav via MailScanner
>>> cannot
>>> detect it.
>>>
>>>       
>> Could this perhaps have anything to do with how clam gets fed the
>> message in MailScanner....? If I'm not completely senile (always a
>> possibility:-), MS doesn't feed it the complete message, hence some
>> newstyle sigs will never (be able to) trigger.
>>     
>
> That goes back to my original statement that I felt that the difference had to
> do with the fact that my MailScanner isn't up-to-date.
>
> I'm quite convinced that this is a MailScanner interfacing issue, as it is quite
> clear clamav is working properly outside MS.
>
> (Note: Personally I don't have a problem with this "issue", I was merely joining
> in and commenting on it hoping my observations could help others who do have
> problems with it.)
>
>
>
>   
I don't have that one tripping either. I figure it is due to the fact 
that I stop a lot at the MTA and delete high scoring spam so they never 
even reach clam.