<html><head><style type='text/css'>body { font-family: 'Verdana'; font-size: 10pt; color: #000000}</style></head><body>All looks good Jules :D<br><br>Output from MailWatch :-<br><br>20/07/07<br>02:52:38 XXXXXX@XXXXXX XXXXXX@XXXXX.com cialis and viagra for Everyone! 2.5Kb 29.70 Spam<br>Virus (Email.Hdr.Sanesecurity.07012400)<br><br>cialis and viagra for Everyone!<br>Size: 2.5Kb<br>Anti-Virus/Dangerous Content Protection<br>Virus: Y <br>Blocked File: N <br>Other Infection: N <br>Report: Clamd: message.header was infected: Email.Hdr.Sanesecurity.07012400 FOUND<br><br>Now able to report against Viruses/Malware and SPAM :)<br><br><table class="data" border="0" cellpadding="0" cellspacing="0" width="700"><tbody><tr><th width="6%">Rank</th>
<th width="44%">Virus</th>
<th width="45%">Percentage of detection</th>
<th width="5%">Count</th></tr><tr>
</tr><tr><td>1</td><td nowrap="nowrap">Email.Stk.Gen592.Sanesecurity.07071801.pdf</td><td><table class="data" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr>
<td style="padding: 0px; background-color: rgb(238, 2, 4);" width="60%"> </td>
<td style="border: 0px none ; padding: 0px;" width="40%"> 60%</td></tr></tbody></table></td>
<td align="right">129</td></tr><tr><td>2</td><td nowrap="nowrap">Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400</td><td><table class="data" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr>
<td style="padding: 0px; background-color: rgb(238, 2, 4);" width="11%"> </td>
<td style="border: 0px none ; padding: 0px;" width="89%"> 11%</td></tr></tbody></table></td>
<td align="right">23</td></tr><tr><td>3</td><td nowrap="nowrap">Email.Spam.Gen1007.Sanesecurity.07071800</td><td><table class="data" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr>
<td style="padding: 0px; background-color: rgb(238, 2, 4);" width="8%"> </td>
<td style="border: 0px none ; padding: 0px;" width="92%"> 8%</td></tr></tbody></table></td>
<td align="right">17</td></tr><tr><td>4</td><td nowrap="nowrap">Html.Loan.Gen006.Sanesecurity.06120200</td><td><table class="data" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr>
<td style="padding: 0px; background-color: rgb(238, 2, 4);" width="8%"> </td>
<td style="border: 0px none ; padding: 0px;" width="92%"> 8%</td></tr></tbody></table></td>
<td align="right">17</td></tr><tr><td>5</td><td nowrap="nowrap">Email.Hdr.Sanesecurity.07012400</td><td><table class="data" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr>
<td style="padding: 0px; background-color: rgb(238, 2, 4);" width="6%"> </td>
<td style="border: 0px none ; padding: 0px;" width="94%"> 6%</td></tr></tbody></table></td>
<td align="right">12</td></tr><tr><td>6</td><td nowrap="nowrap">Email.Spam.Gen465.Sanesecurity.07050603</td><td><table class="data" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr>
<td style="padding: 0px; background-color: rgb(238, 2, 4);" width="2%"> </td>
<td style="border: 0px none ; padding: 0px;" width="98%"> 2%</td></tr></tbody></table></td>
<td align="right">5</td></tr><tr><td>7</td><td nowrap="nowrap">Html.Img.Gen013.Sanesecurity.06112900</td><td><table class="data" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr>
<td style="padding: 0px; background-color: rgb(238, 2, 4);" width="2%"> </td>
<td style="border: 0px none ; padding: 0px;" width="98%"> 2%</td></tr></tbody></table></td>
<td align="right">5</td></tr><tr><td>8</td><td nowrap="nowrap">Html.Phishing.Bank.Rockv2Gen28.Sanesecurity.07061800</td><td><table class="data" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr>
<td style="padding: 0px; background-color: rgb(238, 2, 4);" width="1%"> </td>
<td style="border: 0px none ; padding: 0px;" width="99%"> 1%</td></tr></tbody></table></td>
<td align="right">2</td></tr><tr><td>9</td><td nowrap="nowrap">Email.Spam.Gen595.Sanesecurity.07052401</td><td><table class="data" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr>
<td style="padding: 0px; background-color: rgb(238, 2, 4);" width="1%"> </td>
<td style="border: 0px none ; padding: 0px;" width="99%"> 1%</td></tr></tbody></table></td>
<td align="right">2</td></tr><tr><td>10</td><td nowrap="nowrap">Email.Spam.Gen903.Sanesecurity.07062812</td><td><table class="data" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr>
<td style="padding: 0px; background-color: rgb(238, 2, 4);" width="1%"> </td>
<td style="border: 0px none ; padding: 0px;" width="99%"> 1%</td></tr></tbody></table></td>
<td align="right">2</td></tr></tbody></table>
<br>Another chink in the armour of the commercial AV/AP solution that the company I work for uses. MailScanner should be taking it over *very* soon now :D<br><br>Thanks again to Rick and Jules. (and SaneSecurity for producing great additional ClamAV signatures)<br><br>----- Original Message -----<br>From: "Julian Field" <MailScanner@ecs.soton.ac.uk><br>To: "MailScanner discussion" <mailscanner@lists.mailscanner.info><br>Sent: Thursday, July 19, 2007 8:16:07 PM (GMT) Europe/London<br>Subject: Re: UNKNOWN CLAMD RETURN<br><br>Sorry, forgot the attachment as usual!<br><br>Julian Field wrote:<br>> * PGP Signed: 07/19/07 at 19:50:56<br>><br>> Please try the attached patch to SweepViruses.pm and let me know how <br>> you get on.<br>><br>> MailWatch may well not like it completely, as I changed "$part was" to <br>> "headers were" so it will fail to match if Steve looks for "was", but <br>> I'm sticking to English grammar, unless "the entire message was" works <br>> better.<br>><br>> Please try both and tell me if MailWatch is happy with "the entire <br>> message was" and I'll change my code.<br>><br>> Has someone actually got an entire message that triggers this code, so <br>> that we can test it on a real message?<br>><br>> Cheers,<br>> Jules.<br>><br>><br>> Julian Field wrote:<br>>> > Old Signed: 07/19/07 at 19:12:27<br>>><br>>><br>>><br>>> Rick Cooper wrote:<br>>>> <br>>>><br>>>> > -----Original Message-----<br>>>> > From: mailscanner-bounces@lists.mailscanner.info > <br>>>> [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of <br>>>> UxBoD<br>>>> > Sent: Thursday, July 19, 2007 9:36 AM<br>>>> > To: MailScanner discussion<br>>>> > Subject: Re: UNKNOWN CLAMD RETURN<br>>>> > > Not sure on that Rick as we do not use the reports. In > <br>>>> MailWatch it shows as :-<br>>>> > > Clamd: message.header was infected: > <br>>>> Email.Hdr.Sanesecurity.07061900 FOUND<br>>>> > > so message.header could be changed to the word SPAM.<br>>>><br>>>><br>>>> Do you know what happens to the message? The reason I ask is I can't<br>>>> remember what MailScanner does to the message when it cannot find<br>>>> $infections->{"$id"}{"$part"} in it's list of associated files (or <br>>>> safnames<br>>>> I think).<br>>> To add a report for the entire message, set $part to "". So if you <br>>> add a virus report for the whole message, then the whole message will <br>>> be treated as infected. Whether adding this will require a slight <br>>> change to MailWatch, I don't know. But that's the right way to do it. <br>>> Very dangerous to add a report for an attachment filename that <br>>> doesn't exist!<br>>><br>>>> It may pass the message untouched and it may remove the entire<br>>>> body I just cannot remember what the reflex would be in this situation.<br>>>> Perhaps Julian can answer that. MailWatch is just looking for <br>>>> something to<br>>>> match the regex in functions.php (IIRC) but MailScanner may end up<br>>>> delivering the message and I need to make sure that doesn't happen.<br>>>> <br>>><br>>> Jules<br>>><br>><br>> Jules<br>><br><br>Jules<br><br>-- <br>Julian Field MEng CITP<br>www.MailScanner.info<br>Buy the MailScanner book at www.MailScanner.info/store<br><br>MailScanner customisation, or any advanced system administration help?<br>Contact me at Jules@Jules.FM<br><br>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654<br>For all your IT requirements visit www.transtec.co.uk<br><br></body><br />--
<br />This message has been scanned for viruses and
<br />dangerous content by
<a href="http://www.mailscanner.info/"><b>MailScanner</b></a>, and is
<br />believed to be clean.
</html>