This is another post about the problems that some people have been having with sco.a seemingly making it past clam due to doggy mime structure in bounce messages.
I noticed that Symantec on our exchange servers (which are behind a mailscanner box running clam and sophos) is picking up a few Sco's in bounce messages inside 'Message Body', it is detecting it as [EMAIL PROTECTED] If I understand Symantec's naming scheme correctly this signature is matching the encoded body part, rather than after unencoding an attachment. Therefore I'm suggesting that Clam should follow Symantec's lead and include a signature for the encoded data. I understand that some may have an issue with this as the message is broken and may be harmless (assuming no mail clients are fault tolerant enough to unpack it), but please consider the following... The messages are a nuisance at best, as the sender address is forged they cause confusion and fear amongst users (we have had a number of false alarms with users reporting an infection that was in fact just a bounce due to a forged sender address). Other scanners are detecting them, which does not make clam look good in comparison - perceptions are often more important than technology (especially for non-technical senior management). I seem to remember this was done before (maybe Gibe-F? or Sobig??) - following a long discussion. In fact, given that we have had this discussion before (I think...) perhaps it should be a matter of policy to create an additional sig for the encoded message on all mass mailing worms. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
