Grreting card scams
Glenn Steen
glenn.steen at gmail.com
Fri Jul 27 15:54:33 IST 2007
On 27/07/07, Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
>
>
> Richard Frovarp wrote:
> > Matt Kettler wrote:
> >> Glenn Steen wrote:
> >>
> >>> On 27/07/07, Matt Kettler <mkettler at evi-inc.com> wrote:
> >>>
> >>>> Rick Cooper wrote:
> >>>>
> >>>> Given that running clamscan on the email file outside of MailScanner
> >>>> detects it
> >>>> as a virus, I've already conclusively proven clamav has the signature
> >>>> and it
> >>>> works properly.
> >>>>
> >>>> One observation, though, the specific test messages I used detected as
> >>>> 1221 not
> >>>> 1222, but they're all related.
> >>>>
> >>>> ecardspam1.eml: Email.Phishing.RB-1221 FOUND
> >>>> ecardspam2.eml: Email.Phishing.RB-1221 FOUND
> >>>> ecardspam3.eml: Email.Phishing.RB-1221 FOUND
> >>>>
> >>>> However, if you insist:
> >>>> # sigtool --list-sigs|grep Email.Phishing.RB-1222
> >>>> Email.Phishing.RB-1222
> >>>>
> >>>> Yes, it's there. Yes, clamscan can use it, and clamscan properly
> >>>> detects the
> >>>> messages as viruses when executed manually. No, clamav via MailScanner
> >>>> cannot
> >>>> detect it.
> >>>>
> >>>>
> >>> Could this perhaps have anything to do with how clam gets fed the
> >>> message in MailScanner....? If I'm not completely senile (always a
> >>> possibility:-), MS doesn't feed it the complete message, hence some
> >>> newstyle sigs will never (be able to) trigger.
> >>>
> >>
> >> That goes back to my original statement that I felt that the
> >> difference had to
> >> do with the fact that my MailScanner isn't up-to-date.
> >>
> >> I'm quite convinced that this is a MailScanner interfacing issue, as
> >> it is quite
> >> clear clamav is working properly outside MS.
> >>
> >> (Note: Personally I don't have a problem with this "issue", I was
> >> merely joining
> >> in and commenting on it hoping my observations could help others who
> >> do have
> >> problems with it.)
> >>
> >>
> >>
> >>
> > I don't have that one tripping either. I figure it is due to the fact
> > that I stop a lot at the MTA and delete high scoring spam so they
> > never even reach clam.
> I have now written support for passing entire messages to the ClamAV
> scanners. There is a new setting called "Reliably Detect Spam With
> ClamAV" which is "no" by default as it has a speed impact. It has no
> effect when the ClamAV scanners are not being used.
>
> I'll release a new beta shortly.
>
> Jules
You know what Jules... You're an absolute wonder!:)
Was that a book you had on your list, or is it gone already?
Cheers
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
More information about the MailScanner
mailing list