AW: [FP] possible corrupt sanesecurity defs

Rose, Bobby brose at
Wed Feb 20 22:42:31 GMT 2008

I've tried to convert from hex to text and I'm not sure what this signature is for.

Bad signature is "52657475726e2d506174683a203c{-2}673e*46726f6d3a2022" 

52657475726e2d506174683a203c{-2}673e* = Return-Path: <g>
46726f6d3a2022 = From: "

Which makes sense why it was bad.

The corrected signature is "52657475726e2d506174683a203c{-2}673e*46726f6d3a2022{-50}22203c5f" 
52657475726e2d506174683a203c{-2}673e = Return-Path: <g>
46726f6d3a2022 = From: "
22203c5f = " <_

So I'm guessing it's for messages with no return path and have a From address begging with an underscore.  I searhed my logs and sure enough there are alot of those that look like spam email addresses.

-----Original Message-----
From: mailscanner-bounces at [mailto:mailscanner-bounces at] On Behalf Of Julian Field
Sent: Wednesday, February 20, 2008 5:18 PM
To: MailScanner discussion
Subject: Re: AW: [FP] possible corrupt sanesecurity defs

Hash: SHA1

Even with that version of the file, it is still catching a *lot* of messages. So I'm not 100% convinced it is totally fixed.

Ehle, Roland wrote:
> Hi,
> the working version of scam.ndb is:
> -rw-r--r--  1 clamav clamav  1177245 Feb 20 21:45 scam.ndb
> Sice has changed from 1177232
> Regards,
> Roland
>> -----Ursprüngliche Nachricht-----
>> Von: mailscanner-bounces at [mailto:mailscanner- 
>> bounces at] Im Auftrag von Rose, Bobby
>> Gesendet: Mittwoch, 20. Februar 2008 21:26
>> An: MailScanner discussion
>> Betreff: FW: [FP] possible corrupt sanesecurity defs
>> -----Original Message-----
>> From: Steve Basford [mailto:steveb_clamav at]
>> Sent: Wednesday, February 20, 2008 3:08 PM
>> To: Rose, Bobby
>> Subject: Re: [FP]
>> Rose, Bobby wrote:
>>         What is this look for?  Email.Hdr.Sanesecurity.07021900  This 
>> def had "alot" of false positives from all over the place.  Here's 
>> are two header samples.
>> Hi,
>> I've just fixed this problem....when I checked the sig I noticed it 
>> had the end bit of the sig chopped off compared to version the other day...
>> not exactly sure how it happened... and very annoyed with myself if 
>> it was finger trouble...but it's fixed and uploaded, so should be 
>> with the mirrors in about an hour.
>> I can only apologise for the problems caused :(
>> Cheers,
>> Steve
>> --
>> MailScanner mailing list
>> mailscanner at
>> Before posting, read
>> Support MailScanner development - buy the book off the website!


- --
Julian Field MEng CITP CEng
Buy the MailScanner book at

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key:

Version: PGP Desktop 9.8.0 (Build 2158)
Comment: Use Thunderbird Enigmail to verify this message
Charset: ISO-8859-1


This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

MailScanner mailing list
mailscanner at

Before posting, read

Support MailScanner development - buy the book off the website! 

More information about the MailScanner mailing list