Grreting card scams

Glenn Steen glenn.steen at gmail.com
Fri Jul 27 16:11:28 IST 2007


On 27/07/07, Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
>
>
> Glenn Steen wrote:
> > On 27/07/07, Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
> >
> >> Richard Frovarp wrote:
> >>
> >>> Matt Kettler wrote:
> >>>
> >>>> Glenn Steen wrote:
> >>>>
> >>>>
> >>>>> On 27/07/07, Matt Kettler <mkettler at evi-inc.com> wrote:
> >>>>>
> >>>>>
> >>>>>> Rick Cooper wrote:
> >>>>>>
> >>>>>> Given that running clamscan on the email file outside of MailScanner
> >>>>>> detects it
> >>>>>> as a virus, I've already conclusively proven clamav has the signature
> >>>>>> and it
> >>>>>> works properly.
> >>>>>>
> >>>>>> One observation, though, the specific test messages I used detected as
> >>>>>> 1221 not
> >>>>>> 1222, but they're all related.
> >>>>>>
> >>>>>> ecardspam1.eml: Email.Phishing.RB-1221 FOUND
> >>>>>> ecardspam2.eml: Email.Phishing.RB-1221 FOUND
> >>>>>> ecardspam3.eml: Email.Phishing.RB-1221 FOUND
> >>>>>>
> >>>>>> However, if you insist:
> >>>>>> # sigtool --list-sigs|grep Email.Phishing.RB-1222
> >>>>>> Email.Phishing.RB-1222
> >>>>>>
> >>>>>> Yes, it's there. Yes, clamscan can use it, and clamscan properly
> >>>>>> detects the
> >>>>>> messages as viruses when executed manually. No, clamav via MailScanner
> >>>>>> cannot
> >>>>>> detect it.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>> Could this perhaps have anything to do with how clam gets fed the
> >>>>> message in MailScanner....? If I'm not completely senile (always a
> >>>>> possibility:-), MS doesn't feed it the complete message, hence some
> >>>>> newstyle sigs will never (be able to) trigger.
> >>>>>
> >>>>>
> >>>> That goes back to my original statement that I felt that the
> >>>> difference had to
> >>>> do with the fact that my MailScanner isn't up-to-date.
> >>>>
> >>>> I'm quite convinced that this is a MailScanner interfacing issue, as
> >>>> it is quite
> >>>> clear clamav is working properly outside MS.
> >>>>
> >>>> (Note: Personally I don't have a problem with this "issue", I was
> >>>> merely joining
> >>>> in and commenting on it hoping my observations could help others who
> >>>> do have
> >>>> problems with it.)
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>> I don't have that one tripping either. I figure it is due to the fact
> >>> that I stop a lot at the MTA and delete high scoring spam so they
> >>> never even reach clam.
> >>>
> >> I have now written support for passing entire messages to the ClamAV
> >> scanners. There is a new setting called "Reliably Detect Spam With
> >> ClamAV" which is "no" by default as it has a speed impact. It has no
> >> effect when the ClamAV scanners are not being used.
> >>
> >> I'll release a new beta shortly.
> >>
> >> Jules
> >>
> > You know what Jules... You're an absolute wonder!:)
> > Was that a book you had on your list, or is it gone already?
> >
> The book is still there...
>
I'll see what I can do about that ... later tonight...

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se


More information about the MailScanner mailing list