Clamav suggestions

Fabio Pedretti pedretti at eco.unibs.it
Thu May 10 08:35:15 IST 2007


Citando Julian Field <MailScanner at ecs.soton.ac.uk>:
>
> Fabio Pedretti wrote:
>>> 2) I noticed (as well as others:
>>> http://lists.mailscanner.info/pipermail/mailscanner/2007-April/072504.html
>>>
>>> ) that some phishing mail are not blocked (I am also using
>>> the signatures of sanesecurity). If I do a clamscan on the full
>>> original mail with headers, clamscan find the virus (I can provide a
>>> sample if needed). Seems the problem is that MailScanner extracts the
>>> content of the mail (body + attachment) and scans it, but some
>>> phishing mail are only detected if the full headers are present (in
>>> the clamav DB in the extended signature format, option 4 is for mail
>>> files, look at signatures.pdf in clamav source, and are detected only
>>> if full mail with headers is scanned).
>>> MailScanner should be modified so that all the original mail (with
>>> headers and without extracting attachment) should be passed to
>>> clamscan/clamd, so all virus can be catched.
>>
>> To try the problem send a mail with the following text:
>> 2.83:9999/webscrr/ind
>> on a MailScanner with clamav mail server.
>> The mail does not get filtered.
>>
>> However if you do a clamscan on the received mail, you get:
>> test.eml: Email.Phishing.Pay-20 FOUND
>>
> If you scan a text file containing the magic string above, clamscan
> doesn't find anything wrong. It *only* spots it if the file has email
> headers in it as well. This is a bit disappointing on the part of
> ClamAV. But it is a very effective defence against false alarms.
> MailScanner extracts all the parts of the message and scans them as
> files. As a result this phishing detector in ClamAV won't be triggered.
>
> I can't see any effective good solution to this one. It does not appear
> to affect anything except this phishing trap (and possible a few other
> phishing traps), so I'm not overly concerned about it. There has been no
> evidence whatsoever that anything more important is let through, and
> MailScanner has its own phishing detectors which should be triggered anyway.

Why not change MailScanner to pass to clamav the full mail with  
headers? Latest clamav does a good job on scanning mail, and has also  
decoder for zip/rar2-3 etc. for decoding compressed attachment.



More information about the MailScanner mailing list