Grreting card scams
Glenn Steen
glenn.steen at gmail.com
Fri Jul 27 20:37:16 IST 2007
On 27/07/07, UxBoD <uxbod at splatnix.net> wrote:
> ClamAV Full Message Scan:
>
> Regards,
This one isn't half bad, provided one has a really good explanation
comment....:)
> --[ UxBoD ]--
> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
> // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B
> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
> // Phone: +44 845 869 2749 SIP Phone: uxbod at sip.splatnix.net
>
> ----- Original Message -----
> From: "Alex Broens" <ms-list at alexb.ch>
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Sent: 27 July 2007 15:52:11 o'clock (GMT) Europe/London
> Subject: Re: Grreting card scams
>
> On 7/27/2007 4:42 PM, Julian Field wrote:
> >
> >
> > Richard Frovarp wrote:
> >> Matt Kettler wrote:
> >>> Glenn Steen wrote:
> >>>
> >>>> On 27/07/07, Matt Kettler <mkettler at evi-inc.com> wrote:
> >>>>
> >>>>> Rick Cooper wrote:
> >>>>>
> >>>>> Given that running clamscan on the email file outside of MailScanner
> >>>>> detects it
> >>>>> as a virus, I've already conclusively proven clamav has the signature
> >>>>> and it
> >>>>> works properly.
> >>>>>
> >>>>> One observation, though, the specific test messages I used detected as
> >>>>> 1221 not
> >>>>> 1222, but they're all related.
> >>>>>
> >>>>> ecardspam1.eml: Email.Phishing.RB-1221 FOUND
> >>>>> ecardspam2.eml: Email.Phishing.RB-1221 FOUND
> >>>>> ecardspam3.eml: Email.Phishing.RB-1221 FOUND
> >>>>>
> >>>>> However, if you insist:
> >>>>> # sigtool --list-sigs|grep Email.Phishing.RB-1222
> >>>>> Email.Phishing.RB-1222
> >>>>>
> >>>>> Yes, it's there. Yes, clamscan can use it, and clamscan properly
> >>>>> detects the
> >>>>> messages as viruses when executed manually. No, clamav via MailScanner
> >>>>> cannot
> >>>>> detect it.
> >>>>>
> >>>>>
> >>>> Could this perhaps have anything to do with how clam gets fed the
> >>>> message in MailScanner....? If I'm not completely senile (always a
> >>>> possibility:-), MS doesn't feed it the complete message, hence some
> >>>> newstyle sigs will never (be able to) trigger.
> >>>>
> >>>
> >>> That goes back to my original statement that I felt that the
> >>> difference had to
> >>> do with the fact that my MailScanner isn't up-to-date.
> >>>
> >>> I'm quite convinced that this is a MailScanner interfacing issue, as
> >>> it is quite
> >>> clear clamav is working properly outside MS.
> >>>
> >>> (Note: Personally I don't have a problem with this "issue", I was
> >>> merely joining
> >>> in and commenting on it hoping my observations could help others who
> >>> do have
> >>> problems with it.)
> >>>
> >>>
> >>>
> >>>
> >> I don't have that one tripping either. I figure it is due to the fact
> >> that I stop a lot at the MTA and delete high scoring spam so they
> >> never even reach clam.
> > I have now written support for passing entire messages to the ClamAV
> > scanners. There is a new setting called "Reliably Detect Spam With
> > ClamAV" which is "no" by default as it has a speed impact. It has no
> > effect when the ClamAV scanners are not being used.
> >
> > I'll release a new beta shortly.
>
> Jules
> "Reliably Detect Spam With ClamAV" is misleading.
>
> its not really spam ist detecting, it could be anything.
>
> something like "ClamAV Raw Message Parsing" may be more appropiate tho
> that's no nice either.
>
> Alex
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
More information about the MailScanner
mailing list