Anti-Phishing / Spear-Phishing script IMPORTANT update

Mark Sapiro mark at msapiro.net
Sun Sep 27 19:34:05 IST 2009


Jules Field wrote:
>
>On 26/09/2009 15:51, Mike Wallace wrote:
>> Jules,
>>
>> I have found an anomaly in the beta with the --lint virus scan results.
>>
>> On a MailScanner box running 4.77.1, when I run MailScanner --lint I 
>> get the following for virus checking:
>>
>> MailScanner.conf says "Virus Scanners = clamd"
>> Found these virus scanners installed: clamd
>> =========================================================================== 
>>
>> Filename Checks: Windows/DOS Executable (1 eicar.com)
>> Other Checks: Found 1 problems
>> Virus and Content Scanning: Starting
>> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/
>> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
>> Virus Scanning: Clamd found 2 infections
>> Infected message 1 came from 10.1.1.1
>> Virus Scanning: Found 2 viruses
>> =========================================================================== 
>>
>>
>> On a MailScanner box running 4.78.16 I get the following:
>>
>> MailScanner.conf says "Virus Scanners = clamd"
>> Found these virus scanners installed: clamd
>> =========================================================================== 
>>
>> Filename Checks: Windows/DOS Executable (1 eicar.com)
>> Other Checks: Found 1 problems
>> Virus and Content Scanning: Starting
>> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
>> Virus Scanning: Clamd found 1 infections
>> Infected message 1 came from 10.1.1.1
>> Virus Scanning: Found 1 viruses
>> =========================================================================== 
>>
>>
>>
>> Both boxes were built the same way with the only difference being the 
>> version of MailScanner installed.
>>
>> Is this behavior correct?
>Looks like a bug-fix to me. There's only 1 infection in the test 
>message, so it should only report 1 infection.


If I am not mistaken, this is normal and expected. The box that reports
2 infections has

ClamAV Full Message Scan = yes

and the box that reports 1 has

ClamAV Full Message Scan = no

The full message scan results in two hits - one on the full message and
one on the attached file.

I know Mike has said in another thread
<http://lists.mailscanner.info/pipermail/mailscanner/2009-September/093276.html>
that these settings are the same (yes) on both boxes, but in my
experience since well before and including several 4.77.x versions, but
maybe not 4.77.1, on Centos 5.0 with ClamAV Full Message Scan = yes, I
always get 2 infections reported from MailScanner --lint.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan



More information about the MailScanner mailing list