Sanesecurity not blocking messages

Douglas Ward binaryflow at gmail.com
Tue Jul 31 13:43:32 IST 2007 

We have a properly functioning MailScanner server that I have recently
downloaded the sanesecurity definitions to.  I am hoping that it will reject
the message the same way it does if there is a virus detection.  I have
downloaded the update script and verified that the signature files are in
the same location as the main clamav databases.  I assume it is ok to have
the following directory structure:

[root at mailscanner MailScanner]# ls -lah /usr/local/share/clamav/
total 4.4M
drwxrwxr-x 4 clamav clamav 1.0K Jul 31 08:30 ./
drwxr-xr-x 5 root   root   1.0K Jul  3 17:09 ../
drwxr-xr-x 2 clamav clamav 1.0K Jul 31 06:05 daily.inc/
drwxr-xr-x 2 clamav clamav 1.0K Jul 20 13:07 main.inc/
-rw------- 1 clamav clamav 1.4K Jul 31 08:30 mirrors.dat
-rw-r--r-- 1 clamav clamav 514K Jul 31 07:50 MSRBL-Images.hdb
-rw-r--r-- 1 clamav clamav 224K Jul 31 05:15 MSRBL-SPAM.ndb
-rw-rw-r-- 1 clamav clamav 1.1M Jul 31 08:07 phish.ndb
-rw-rw-r-- 1 clamav clamav 182K Jul 31 03:19 phish.ndb.gz
-rw-rw-r-- 1 clamav clamav 1.1M Jul 31 08:07 phish.old
-rw-rw-r-- 1 clamav clamav 596K Jul 31 08:07 scam.ndb
-rw-rw-r-- 1 clamav clamav 120K Jul 31 03:20 scam.ndb.gz
-rw-rw-r-- 1 clamav clamav 596K Jul 31 08:07 scam.old


This is what I am seeing in the log:

Jul 31 08:11:22 mailscanner MailScanner[12975]: Message C8DEF122D.8ACFF from
192.168.x.x (user at gmail.com) to nccumc.org is not spam, SpamAssassin (not
cached, score=-0.909, required 6, AWL -0.53, BAYES_00 -2.60, HTML_MESSAGE
0.00, TVD_SPACE_RATIO 2.22)
Jul 31 08:11:23 mailscanner MailScanner[12975]:
/var/spool/MailScanner/incoming/12975/./C8DEF122D.8ACFF/phish_sigtest.txt:
Html.Phishing.Sanesecurity.TestSig FOUND
Jul 31 08:11:25 mailscanner MailScanner[12975]: Infected message
C8DEF122D.8ACFF came from 192.168.10.25
Jul 31 08:11:25 mailscanner MailScanner[12975]: Filename Checks: Allowing
C8DEF122D.8ACFF msg-12975-4.txt
Jul 31 08:11:25 mailscanner MailScanner[12975]: Filename Checks: Allowing
C8DEF122D.8ACFF phish_sigtest.txt
Jul 31 08:11:25 mailscanner MailScanner[12975]: Filename Checks: Allowing
C8DEF122D.8ACFF msg-12975-5.html (no rule matched)
Jul 31 08:11:25 mailscanner MailScanner[12975]: Filetype Checks: Allowing
C8DEF122D.8ACFF msg-12975-4.txt
Jul 31 08:11:25 mailscanner MailScanner[12975]: Filetype Checks: Allowing
C8DEF122D.8ACFF msg-12975-5.html
Jul 31 08:11:25 mailscanner MailScanner[12975]: Filetype Checks: Allowing
C8DEF122D.8ACFF phish_sigtest.txt
Jul 31 08:11:25 mailscanner MailScanner[12975]: Logging message
C8DEF122D.8ACFF to SQL
Jul 31 08:11:25 mailscanner MailScanner[12900]: C8DEF122D.8ACFF: Logged to
MailWatch SQL

MailScanner dutifully sends the message on.  It is flagged as a phishing
scam but no action is taken.  Is there something I need to change in
MailScanner?  It would appear that sanesecurity is doing its job but the
message still slips through.  My apologies if this is not MailScanner
related.  I searched google, the clamav site, the sansecurity site and the
MailScanner list archives extensively before writing.  I appreciate any help
you could offer.  Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/d4f1206a/attachment.html

More information about the MailScanner mailing list