{Disarmed} Sanesecurity not blocking messages
Julian Field
MailScanner at ecs.soton.ac.uk
Tue Jul 31 13:55:47 IST 2007
But did it actually claim to deliver it?
Douglas Ward wrote:
> We have a properly functioning MailScanner server that I have recently
> downloaded the sanesecurity definitions to. I am hoping that it will
> reject the message the same way it does if there is a virus
> detection. I have downloaded the update script and verified that the
> signature files are in the same location as the main clamav
> databases. I assume it is ok to have the following directory structure:
>
> [root at mailscanner MailScanner]# ls -lah /usr/local/share/clamav/
> total 4.4M
> drwxrwxr-x 4 clamav clamav 1.0K Jul 31 08:30 ./
> drwxr-xr-x 5 root root 1.0K Jul 3 17:09 ../
> drwxr-xr-x 2 clamav clamav 1.0K Jul 31 06:05 daily.inc/
> drwxr-xr-x 2 clamav clamav 1.0K Jul 20 13:07 main.inc/
> -rw------- 1 clamav clamav 1.4K Jul 31 08:30 mirrors.dat
> -rw-r--r-- 1 clamav clamav 514K Jul 31 07:50 MSRBL-Images.hdb
> -rw-r--r-- 1 clamav clamav 224K Jul 31 05:15 MSRBL-SPAM.ndb
> -rw-rw-r-- 1 clamav clamav 1.1M Jul 31 08:07 phish.ndb
> -rw-rw-r-- 1 clamav clamav 182K Jul 31 03:19 phish.ndb.gz
> -rw-rw-r-- 1 clamav clamav 1.1M Jul 31 08:07 phish.old
> -rw-rw-r-- 1 clamav clamav 596K Jul 31 08:07 scam.ndb
> -rw-rw-r-- 1 clamav clamav 120K Jul 31 03:20 scam.ndb.gz
> -rw-rw-r-- 1 clamav clamav 596K Jul 31 08:07 scam.old
>
>
> This is what I am seeing in the log:
>
> Jul 31 08:11:22 mailscanner MailScanner[12975]: Message
> C8DEF122D.8ACFF from 192.168.x.x (user at gmail.com
> <mailto:user at gmail.com>) to nccumc.org <http://nccumc.org> is not
> spam, SpamAssassin (not cached, score=-0.909, required 6, AWL -0.53,
> BAYES_00 -2.60 , HTML_MESSAGE 0.00, TVD_SPACE_RATIO 2.22)
> Jul 31 08:11:23 mailscanner MailScanner[12975]:
> /var/spool/MailScanner/incoming/12975/./C8DEF122D.8ACFF/phish_sigtest.txt:
> Html.Phishing.Sanesecurity.TestSig FOUND
> Jul 31 08:11:25 mailscanner MailScanner[12975]: Infected message
> C8DEF122D.8ACFF came from <http://192.168.10.25>
> Jul 31 08:11:25 mailscanner MailScanner[12975]: Filename Checks:
> Allowing C8DEF122D.8ACFF msg-12975-4.txt
> Jul 31 08:11:25 mailscanner MailScanner[12975]: Filename Checks:
> Allowing C8DEF122D.8ACFF phish_sigtest.txt
> Jul 31 08:11:25 mailscanner MailScanner[12975]: Filename Checks:
> Allowing C8DEF122D.8ACFF msg-12975-5.html (no rule matched)
> Jul 31 08:11:25 mailscanner MailScanner[12975]: Filetype Checks:
> Allowing C8DEF122D.8ACFF msg-12975-4.txt
> Jul 31 08:11:25 mailscanner MailScanner[12975]: Filetype Checks:
> Allowing C8DEF122D.8ACFF msg-12975-5.html
> Jul 31 08:11:25 mailscanner MailScanner[12975]: Filetype Checks:
> Allowing C8DEF122D.8ACFF phish_sigtest.txt
> Jul 31 08:11:25 mailscanner MailScanner[12975]: Logging message
> C8DEF122D.8ACFF to SQL
> Jul 31 08:11:25 mailscanner MailScanner[12900]: C8DEF122D.8ACFF:
> Logged to MailWatch SQL
>
> MailScanner dutifully sends the message on. It is flagged as a
> phishing scam but no action is taken. Is there something I need to
> change in MailScanner? It would appear that sanesecurity is doing its
> job but the message still slips through. My apologies if this is not
> MailScanner related. I searched google, the clamav site, the
> sansecurity site and the MailScanner list archives extensively before
> writing. I appreciate any help you could offer. Thank you.
Jules
--
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk
More information about the MailScanner
mailing list