MailScanner blocking ClamAV emails

Steve Basford steveb_clamav at
Sat Mar 25 17:47:40 UTC 2017

YARA.r57shell_php_php.UNOFFICIAL these Yara rules can be disabled in the 
official down load script... see config file... or you can put
YARA.r57shell_php_php into localwhitelist.ign2 and place in ClamAV database 
folder to whitelist this Sig.

The usual issue with emailing auto-spam logs is they contain snippets of 
real spam phrases so they will sometimes get hit.

Hope that helps.


Twitter: @sanesecurity

On 25 March 2017 16:05:18 Mark Sapiro <mark at> wrote:

> On 03/25/2017 08:50 AM, Walt Thiessen wrote:
>> What exactly should we whitelist? My admins claim that the only thing
>> you can whitelist in ClamAV is a signature, and they say there are no
>> signatures in the log entries to whitelist.
> The rule that hits is YARA.r57shell_php_php.UNOFFICIAL. The .UNOFFICIAL
> part just means it is not an 'official' clamav rule, and I'm not sure
> but I think the YARA. part just indicates its a YARA rule, but the rest
> of it should match some rule in a file in /var/lib/clamav, probably with
> a .yar or .yara extension.
> --
> Mark Sapiro <mark at>        The highway is for gamblers,
> San Francisco Bay Area, California    better use your sense - B. Dylan
> --
> MailScanner mailing list
> mailscanner at

More information about the MailScanner mailing list