Clamav suggestions

Julian Field MailScanner at ecs.soton.ac.uk
Wed May 9 20:26:48 IST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Fabio Pedretti wrote:
>> 2) I noticed (as well as others:
>> http://lists.mailscanner.info/pipermail/mailscanner/2007-April/072504.html 
>>
>> ) that some phishing mail are not blocked (I am also using
>> the signatures of sanesecurity). If I do a clamscan on the full
>> original mail with headers, clamscan find the virus (I can provide a
>> sample if needed). Seems the problem is that MailScanner extracts the
>> content of the mail (body + attachment) and scans it, but some
>> phishing mail are only detected if the full headers are present (in
>> the clamav DB in the extended signature format, option 4 is for mail
>> files, look at signatures.pdf in clamav source, and are detected only
>> if full mail with headers is scanned).
>> MailScanner should be modified so that all the original mail (with
>> headers and without extracting attachment) should be passed to
>> clamscan/clamd, so all virus can be catched.
>
> To try the problem send a mail with the following text:
> 2.83:9999/webscrr/ind
> on a MailScanner with clamav mail server.
> The mail does not get filtered.
>
> However if you do a clamscan on the received mail, you get:
> test.eml: Email.Phishing.Pay-20 FOUND
>
If you scan a text file containing the magic string above, clamscan 
doesn't find anything wrong. It *only* spots it if the file has email 
headers in it as well. This is a bit disappointing on the part of 
ClamAV. But it is a very effective defence against false alarms. 
MailScanner extracts all the parts of the message and scans them as 
files. As a result this phishing detector in ClamAV won't be triggered.

I can't see any effective good solution to this one. It does not appear 
to affect anything except this phishing trap (and possible a few other 
phishing traps), so I'm not overly concerned about it. There has been no 
evidence whatsoever that anything more important is let through, and 
MailScanner has its own phishing detectors which should be triggered anyway.

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.1 (Build 1012)
Charset: ISO-8859-1

wj8DBQFGQiCsEfZZRxQVtlQRAsrCAKDG/2Nv4D6sRQ7b3KmSaoYv+nNZWgCg/iLX
/ZYGBSqmtwJsb8DM2wzwgzA=
=rvWL
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk

More information about the MailScanner mailing list