{Disarmed} Sanesecurity not blocking messages

Douglas Ward dward at nccumc.org
Tue Jul 31 14:04:11 IST 2007 

It did deliver it.  The message listed below was something I sent to me from
me as a test message.

On 7/31/07, Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
>
> But did it actually claim to deliver it?
>
> Douglas Ward wrote:
> > We have a properly functioning MailScanner server that I have recently
> > downloaded the sanesecurity definitions to.  I am hoping that it will
> > reject the message the same way it does if there is a virus
> > detection.  I have downloaded the update script and verified that the
> > signature files are in the same location as the main clamav
> > databases.  I assume it is ok to have the following directory structure:
> >
> > [root at mailscanner MailScanner]# ls -lah /usr/local/share/clamav/
> > total 4.4M
> > drwxrwxr-x 4 clamav clamav 1.0K Jul 31 08:30 ./
> > drwxr-xr-x 5 root   root   1.0K Jul  3 17:09 ../
> > drwxr-xr-x 2 clamav clamav 1.0K Jul 31 06:05 daily.inc/
> > drwxr-xr-x 2 clamav clamav 1.0K Jul 20 13:07 main.inc/
> > -rw------- 1 clamav clamav 1.4K Jul 31 08:30 mirrors.dat
> > -rw-r--r-- 1 clamav clamav 514K Jul 31 07:50 MSRBL-Images.hdb
> > -rw-r--r-- 1 clamav clamav 224K Jul 31 05:15 MSRBL-SPAM.ndb
> > -rw-rw-r-- 1 clamav clamav 1.1M Jul 31 08:07 phish.ndb
> > -rw-rw-r-- 1 clamav clamav 182K Jul 31 03:19 phish.ndb.gz
> > -rw-rw-r-- 1 clamav clamav 1.1M Jul 31 08:07 phish.old
> > -rw-rw-r-- 1 clamav clamav 596K Jul 31 08:07 scam.ndb
> > -rw-rw-r-- 1 clamav clamav 120K Jul 31 03:20 scam.ndb.gz
> > -rw-rw-r-- 1 clamav clamav 596K Jul 31 08:07 scam.old
> >
> >
> > This is what I am seeing in the log:
> >
> > Jul 31 08:11:22 mailscanner MailScanner[12975]: Message
> > C8DEF122D.8ACFF from 192.168.x.x (user at gmail.com
> > <mailto:user at gmail.com>) to nccumc.org <http://nccumc.org> is not
> > spam, SpamAssassin (not cached, score=-0.909, required 6, AWL -0.53,
> > BAYES_00 -2.60 , HTML_MESSAGE 0.00, TVD_SPACE_RATIO 2.22)
> > Jul 31 08:11:23 mailscanner MailScanner[12975]:
> >
> /var/spool/MailScanner/incoming/12975/./C8DEF122D.8ACFF/phish_sigtest.txt:
> > Html.Phishing.Sanesecurity.TestSig FOUND
> > Jul 31 08:11:25 mailscanner MailScanner[12975]: Infected message
> > C8DEF122D.8ACFF came from <http://192.168.10.25>
> > Jul 31 08:11:25 mailscanner MailScanner[12975]: Filename Checks:
> > Allowing C8DEF122D.8ACFF msg-12975-4.txt
> > Jul 31 08:11:25 mailscanner MailScanner[12975]: Filename Checks:
> > Allowing C8DEF122D.8ACFF phish_sigtest.txt
> > Jul 31 08:11:25 mailscanner MailScanner[12975]: Filename Checks:
> > Allowing C8DEF122D.8ACFF msg-12975-5.html (no rule matched)
> > Jul 31 08:11:25 mailscanner MailScanner[12975]: Filetype Checks:
> > Allowing C8DEF122D.8ACFF msg-12975-4.txt
> > Jul 31 08:11:25 mailscanner MailScanner[12975]: Filetype Checks:
> > Allowing C8DEF122D.8ACFF msg-12975-5.html
> > Jul 31 08:11:25 mailscanner MailScanner[12975]: Filetype Checks:
> > Allowing C8DEF122D.8ACFF phish_sigtest.txt
> > Jul 31 08:11:25 mailscanner MailScanner[12975]: Logging message
> > C8DEF122D.8ACFF to SQL
> > Jul 31 08:11:25 mailscanner MailScanner[12900]: C8DEF122D.8ACFF:
> > Logged to MailWatch SQL
> >
> > MailScanner dutifully sends the message on.  It is flagged as a
> > phishing scam but no action is taken.  Is there something I need to
> > change in MailScanner?  It would appear that sanesecurity is doing its
> > job but the message still slips through.  My apologies if this is not
> > MailScanner related.  I searched google, the clamav site, the
> > sansecurity site and the MailScanner list archives extensively before
> > writing.  I appreciate any help you could offer.  Thank you.
>
> Jules
>
> --
> Julian Field MEng CITP
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
>
> Need help customising MailScanner?
> Contact me!
> Need help fixing or optimising your systems?
> Contact me!
> Need help getting you started solving new requirements from your boss?
> Contact me!
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> For all your IT requirements visit www.transtec.co.uk
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/8539fc4a/attachment.html

More information about the MailScanner mailing list