We have a properly functioning MailScanner server that I have recently downloaded the sanesecurity definitions to. I am hoping that it will reject the message the same way it does if there is a virus detection. I have downloaded the update script and verified that the signature files are in the same location as the main clamav databases. I assume it is ok to have the following directory structure:
<br><br>[root@mailscanner MailScanner]# ls -lah /usr/local/share/clamav/<br>total 4.4M<br>drwxrwxr-x 4 clamav clamav 1.0K Jul 31 08:30 ./<br>drwxr-xr-x 5 root root 1.0K Jul 3 17:09 ../<br>drwxr-xr-x 2 clamav clamav 1.0K
Jul 31 06:05 daily.inc/<br>drwxr-xr-x 2 clamav clamav 1.0K Jul 20 13:07 main.inc/<br>-rw------- 1 clamav clamav 1.4K Jul 31 08:30 mirrors.dat<br>-rw-r--r-- 1 clamav clamav 514K Jul 31 07:50 MSRBL-Images.hdb<br>-rw-r--r-- 1 clamav clamav 224K Jul 31 05:15
MSRBL-SPAM.ndb<br>-rw-rw-r-- 1 clamav clamav 1.1M Jul 31 08:07 phish.ndb<br>-rw-rw-r-- 1 clamav clamav 182K Jul 31 03:19 phish.ndb.gz<br>-rw-rw-r-- 1 clamav clamav 1.1M Jul 31 08:07 phish.old<br>-rw-rw-r-- 1 clamav clamav 596K Jul 31 08:07
scam.ndb<br>-rw-rw-r-- 1 clamav clamav 120K Jul 31 03:20 scam.ndb.gz<br>-rw-rw-r-- 1 clamav clamav 596K Jul 31 08:07 scam.old<br><br><br>This is what I am seeing in the log:<br><br>Jul 31 08:11:22 mailscanner MailScanner[12975]: Message
C8DEF122D.8ACFF from 192.168.x.x (<a href="mailto:user@gmail.com">user@gmail.com</a>) to <a href="http://nccumc.org">nccumc.org</a> is not spam, SpamAssassin (not cached, score=-0.909, required 6, AWL -0.53, BAYES_00 -2.60
, HTML_MESSAGE 0.00, TVD_SPACE_RATIO 2.22)<br>Jul 31 08:11:23 mailscanner MailScanner[12975]: /var/spool/MailScanner/incoming/12975/./C8DEF122D.8ACFF/phish_sigtest.txt: Html.Phishing.Sanesecurity.TestSig FOUND<br>Jul 31 08:11:25 mailscanner MailScanner[12975]: Infected message
C8DEF122D.8ACFF came from <a href="http://192.168.10.25">192.168.10.25</a><br>Jul 31 08:11:25 mailscanner MailScanner[12975]: Filename Checks: Allowing C8DEF122D.8ACFF msg-12975-4.txt<br>Jul 31 08:11:25 mailscanner MailScanner[12975]: Filename Checks: Allowing
C8DEF122D.8ACFF phish_sigtest.txt<br>Jul 31 08:11:25 mailscanner MailScanner[12975]: Filename Checks: Allowing C8DEF122D.8ACFF msg-12975-5.html (no rule matched)<br>Jul 31 08:11:25 mailscanner MailScanner[12975]: Filetype Checks: Allowing
C8DEF122D.8ACFF msg-12975-4.txt<br>Jul 31 08:11:25 mailscanner MailScanner[12975]: Filetype Checks: Allowing C8DEF122D.8ACFF msg-12975-5.html<br>Jul 31 08:11:25 mailscanner MailScanner[12975]: Filetype Checks: Allowing C8DEF122D.8ACFF
phish_sigtest.txt<br>Jul 31 08:11:25 mailscanner MailScanner[12975]: Logging message C8DEF122D.8ACFF to SQL<br>Jul 31 08:11:25 mailscanner MailScanner[12900]: C8DEF122D.8ACFF: Logged to MailWatch SQL<br><br>MailScanner dutifully sends the message on. It is flagged as a phishing scam but no action is taken. Is there something I need to change in MailScanner? It would appear that sanesecurity is doing its job but the message still slips through. My apologies if this is not MailScanner related. I searched google, the clamav site, the sansecurity site and the MailScanner list archives extensively before writing. I appreciate any help you could offer. Thank you.
<br>