Clamav suggestions
Fabio Pedretti
pedretti at eco.unibs.it
Wed May 9 09:55:22 IST 2007
> 2) I noticed (as well as others:
> http://lists.mailscanner.info/pipermail/mailscanner/2007-April/072504.html
> ) that some phishing mail are not blocked (I am also using
> the signatures of sanesecurity). If I do a clamscan on the full
> original mail with headers, clamscan find the virus (I can provide a
> sample if needed). Seems the problem is that MailScanner extracts the
> content of the mail (body + attachment) and scans it, but some
> phishing mail are only detected if the full headers are present (in
> the clamav DB in the extended signature format, option 4 is for mail
> files, look at signatures.pdf in clamav source, and are detected only
> if full mail with headers is scanned).
> MailScanner should be modified so that all the original mail (with
> headers and without extracting attachment) should be passed to
> clamscan/clamd, so all virus can be catched.
To try the problem send a mail with the following text:
2.83:9999/webscrr/ind
on a MailScanner with clamav mail server.
The mail does not get filtered.
However if you do a clamscan on the received mail, you get:
test.eml: Email.Phishing.Pay-20 FOUND
More information about the MailScanner
mailing list