AW: [FP] possible corrupt sanesecurity defs
Rose, Bobby
brose at med.wayne.edu
Wed Feb 20 22:42:31 GMT 2008
I've tried to convert from hex to text and I'm not sure what this signature is for.
Bad signature is "52657475726e2d506174683a203c{-2}673e*46726f6d3a2022"
52657475726e2d506174683a203c{-2}673e* = Return-Path: <�g>
46726f6d3a2022 = From: "
Which makes sense why it was bad.
The corrected signature is "52657475726e2d506174683a203c{-2}673e*46726f6d3a2022{-50}22203c5f"
52657475726e2d506174683a203c{-2}673e = Return-Path: <�g>
46726f6d3a2022 = From: "
22203c5f = " <_
So I'm guessing it's for messages with no return path and have a From address begging with an underscore. I searhed my logs and sure enough there are alot of those that look like spam email addresses.
-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian Field
Sent: Wednesday, February 20, 2008 5:18 PM
To: MailScanner discussion
Subject: Re: AW: [FP] possible corrupt sanesecurity defs
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Even with that version of the file, it is still catching a *lot* of messages. So I'm not 100% convinced it is totally fixed.
Ehle, Roland wrote:
> Hi,
>
> the working version of scam.ndb is:
>
> -rw-r--r-- 1 clamav clamav 1177245 Feb 20 21:45 scam.ndb
>
> Sice has changed from 1177232
>
> Regards,
> Roland
>
>
>> -----Ursprüngliche Nachricht-----
>> Von: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>> bounces at lists.mailscanner.info] Im Auftrag von Rose, Bobby
>> Gesendet: Mittwoch, 20. Februar 2008 21:26
>> An: MailScanner discussion
>> Betreff: FW: [FP] possible corrupt sanesecurity defs
>>
>>
>>
>> -----Original Message-----
>> From: Steve Basford [mailto:steveb_clamav at sanesecurity.com]
>> Sent: Wednesday, February 20, 2008 3:08 PM
>> To: Rose, Bobby
>> Subject: Re: [FP]
>>
>>
>>
>> Rose, Bobby wrote:
>>
>> What is this look for? Email.Hdr.Sanesecurity.07021900 This
>> def had "alot" of false positives from all over the place. Here's
>> are two header samples.
>>
>> Hi,
>>
>> I've just fixed this problem....when I checked the sig I noticed it
>> had the end bit of the sig chopped off compared to version the other day...
>> not exactly sure how it happened... and very annoyed with myself if
>> it was finger trouble...but it's fixed and uploaded, so should be
>> with the mirrors in about an hour.
>>
>> I can only apologise for the problems caused :(
>>
>> Cheers,
>>
>> Steve
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
Jules
- --
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.0 (Build 2158)
Comment: Use Thunderbird Enigmail to verify this message
Charset: ISO-8859-1
wj8DBQFHvKcWEfZZRxQVtlQRAn6XAKCK/2RS0VdKfnmNgOUkxl7T3QaZXQCg2hFm
Ca+vrWY4SSChvnOjiFbN5aE=
=skDA
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list