Sanesecurity Signatures and MailScanner

Julian Field MailScanner at ecs.soton.ac.uk
Fri Jan 23 21:27:13 GMT 2009


Steve,

Just to confirm before I spend time digging into MailScanner: this is 
not a MailScanner problem at all, correct?

Cheers,
Jules.

On 23/1/09 09:25, Steve Basford wrote:
> Just a forward from the sanesecurity mailing list... on hopefully
> how to get header test #2 working.
>
> Any result feedback would be great :)
>
> Cheers,
>
> Steve
> Sanesecurity
>
>
> ---- Forward ----
> Hi All,
>
> After much head scratching.. and the help of those who pasted the
> headers... I can reproduce the failed test #2 :)
>
> http://sanesecurity.co.uk/usage.htm (Scroll down page)
>
> And it means that the detection rates on some people systems may not as
> good as they should have been.
>
> As some people guessed it's all down the header formation and a file
> called .ftm.   ClamAv has a file distributed which helps the engine decide
> what type of file the email and/or attachments are.
>
> You can see the file, by doing this:
>
> sigtool --unpack-current=daily
>
> If you look for daily.ftm and look for this line:
>
> 0:0:52656365697665643a20:Raw mail:CL_TYPE_ANY:CL_TYPE_MAIL
>
> It means that if ClamAV sees "Received:" as THE FIRST LINE then it sets
> the scanning type to "Mail" (type 4 signatures)
>
> The problem seems to be that in the undetected examples, the FIRST LINE
> isn't "Received:" but "X-Received-From-Address:".
>
> ClamAV doesn't have this type in it's datebase, so it takes a "guess" :)
>
> As a work-around... could people who had problems with detecting TEST #2, do
> the following:
>
> Copy the following lines into a file called sanesecurity.ftm and copy the
> file, into the same data area as the rest of the signatures:
>
> ------ line to copy -------
> 0:0:582d52656365697665642d46726f6d2d416464726573733a:MailScanner:CL_TYPE_ANY:CL_TYPE_MAIL
> 0:0:582d456e76656c6f70652d546f3a:MailScanner2:CL_TYPE_ANY:CL_TYPE_MAIL
> 0:0:582d5370616d2d436865636b65722d56657273696f6e3a:MailScanner3:CL_TYPE_ANY:CL_TYPE_MAIL
> ------ line to copy -------
>
> If this works, let me know.  If it doesn't work.. please post the FIRST
> LINE of the email that you receive undetected.
>
> If we can get a list of headers, I'll then pass them onto ClamAV team.
>
> Cheers and thanks for everyone help on this one... it's been a big puzzle.
>
>
> Steve
> Sanesecurity
>
>
>    

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list