Hello again Nigel,
I have found a certain kind of mime structure and headers, that
causes clamd to produce false negatives errors. The debugging outpout of
clamd reports "LibClamAV debug: getline: buffer overflow stopped" and the
viral attachment is not opened at all. (See
http://users.auth.gr/~apap/clamav/viral-mail.raw and
http://users.auth.gr/~apap/clamav/CLAMD-DEBUG-cannot-detect-attached-virus-in-viral-raw-mail.log)
If the same mail is in mbox format (the only difference is in the
first line "From "), the attachements are opened normally, and Worm.Bagz.D
is found. (See http://users.auth.gr/~apap/clamav/viral-mail.mbox and
http://users.auth.gr/~apap/clamav/CLAMD-DEBUG-detects-attached-virus-in-mbox-mail.log)
A small collection of the viral mails I have received, can be found
at: http://users.auth.gr/~apap/clamav/viruses-that-bypass-clamav-0.85.1.mbox.
I receive tens of them every day. They have all been sent to
[EMAIL PROTECTED] (this is forwarded to my INBOX) and
originate from unqualified addresses from a specific network. The attacments
are BASE64 encoded in very long lines (2048 bytes each). No other user on my
servers (17000 of them active) has reported to get these viruses. All this
is very puzzling.
I assume that your "yes" in your previous mail, means that the
test-virus you sent me, *did* pass through your mailserver, which *did*
attempt to scan for viruses but *did* fail to recognize the attached virus,
probably due to mangled mime structure. I suppose that your server silently
fixed the mangled structure and as a result the virus was detectable on my
mail server.
If all the above are correct, then this should be fixed in clamd. I
hope the data in http://users.auth.gr/~apap/clamav are enough to verify the
problem.
Apostolis Papayanakis
ps. Despite the subject of this mail, clamav-milter now seems to be
unrelated to the problem.
On 2005-05-18 08:45 +300 Nigel Horne wrote:
> On Wednesday 18 May 2005 00:57, Apostolos Papayanakis wrote:
> > Nigel,
> >
> > Did the viral mail you sent me as a test
> > (http://users.auth.gr/~apap/spurious-viral-mbox), passed through your
> local
> > clamav-milter before reaching my clamav-milter that finally rejected it?
>
> Yes - I don't (usually) have outgoing scanning on.
> >
> > A plain yes or no would suffice, at least for now. There seems to be
> > a problem with the initial "From " line in the viral mbox-style mailbox
> > (removing it hides the virus from clamdscan). I will investigate further
> > and will write back.
>
> Hmm. OK - let me know if you find anything.
> >
> > Apostolis Papayanakis
>
> -Nigel
>
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
