Sanesecurity Signatures and MailScanner

Steve Basford steveb_clamav at
Fri Jan 23 09:25:18 GMT 2009

Just a forward from the sanesecurity mailing list... on hopefully
how to get header test #2 working.

Any result feedback would be great :)



---- Forward ----
Hi All,

After much head scratching.. and the help of those who pasted the
headers... I can reproduce the failed test #2 :) (Scroll down page)

And it means that the detection rates on some people systems may not as
good as they should have been.

As some people guessed it's all down the header formation and a file
called .ftm.   ClamAv has a file distributed which helps the engine decide
what type of file the email and/or attachments are.

You can see the file, by doing this:

sigtool --unpack-current=daily

If you look for daily.ftm and look for this line:

0:0:52656365697665643a20:Raw mail:CL_TYPE_ANY:CL_TYPE_MAIL

It means that if ClamAV sees "Received:" as THE FIRST LINE then it sets
the scanning type to "Mail" (type 4 signatures)

The problem seems to be that in the undetected examples, the FIRST LINE
isn't "Received:" but "X-Received-From-Address:".

ClamAV doesn't have this type in it's datebase, so it takes a "guess" :)

As a work-around... could people who had problems with detecting TEST #2, do
the following:

Copy the following lines into a file called sanesecurity.ftm and copy the
file, into the same data area as the rest of the signatures:

------ line to copy -------
------ line to copy -------

If this works, let me know.  If it doesn't work.. please post the FIRST
LINE of the email that you receive undetected.

If we can get a list of headers, I'll then pass them onto ClamAV team.

Cheers and thanks for everyone help on this one... it's been a big puzzle.


More information about the MailScanner mailing list