> I'm using the sanesecurity and MSRBL files too and are getting the > same spam. > > I'll start sending them to Steve to incorporate. > > James. > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html
Turns out this may be an Amavis-new related issue, see below: Jeff Thurston wrote: >> -----Original Message----- >> From: Bill Landry [mailto:[EMAIL PROTECTED] >> Sent: Thursday, July 19, 2007 3:31 PM >> To: Jeff Thurston >> Cc: 'Steve Basford' >> Subject: Re: sanesecurity sigs >> >> Jeff Thurston wrote: >>>> -----Original Message----- >>>> From: Bill Landry [mailto:[EMAIL PROTECTED] >>>> Sent: Thursday, July 19, 2007 3:25 PM >>>> To: Steve Basford >>>> Cc: Jeff Thurston >>>> Subject: Re: sanesecurity sigs >>>> >>>> Steve Basford wrote: >>>>> Hi Guys, >>>>> >>>>> Just noticed the posts regarding my sigs. >>>>> >>>>> A lot of the common cards should be caught by my sigs... but the >>>>> real heavy hitter ones, I know I added official sigs to the >>>>> database to catch those.. >>>>> >>>>> So, just a thought for Bill, is it something to do with passing >>>>> the >> full >>>>> message body to clamav, like the problem you had with your >>>>> settings and the blue-mountain card... as the whole message body >>>>> is normally needed to pickup type 4 signatures, whereas >> the >>>>> type 3 signatures (test sig) will be found okay? >>>>> >>>>> Might not be this, as it's near bed-time for me ;) >>>>> >>>>> Good luck! >>>>> >>>>> Steve >>>> That could be the problem, depending on how Jeff is passing the >> messages >>>> to clamd. Jeff, are you possibly using amavisd-new? If not, how >>>> do >> you >>>> pass messages from your MTA to clamd? Is the entire message sent >>>> to clamd for scanning, or is the message decoded first and the >>>> individual decoded mime parts sent to clamd for scanning? >>>> >>>> Bill >>> I am using Amavis-new. >> Okay, then that's most likely the problem. What version of >> amavisd-new are you running? >> >> Steve, I'll send you an update later. Probably time to put that >> amavisd-new/clamav FAQ together... >> >> Bill > > Postfix 2.2.10-1ubuntu0.1 > Amavisd-new 2.3.3-3 > ClamAV 0.90.3 > > Ubuntu Server 6.06.1. > > Any suggestions you have or changes I should make would be greatly > appreciated. I would like to continue with amavis-new if possible - I > am relatively comfortable with its configuration etc. Jeff, with version 2.3.x of amavisd-new, you will need to enable the following section in your amavisd.conf file and then reload amavisd: [EMAIL PROTECTED] = (new_RE( # qr'^MAIL$', # retain full original message for virus checking (can be slow) This will cause all messages to still be decoded by amavisd-new and all the decoded parts sent to the virus scanners for scanning, and also the full undecoded message, as well (which is what is needed for the type 4 SaneSecurity signatures to trigger on a message). However, if you were to upgrade to amavisd-new version 2.5.1 or newer, you could simply enable $bypass_decoded_parts (which is more efficient) as described in the 2.5.1 release notes: - setting $bypass_decode_parts to true now also disables MIME decoding, not just decoders/dearchivers listed in a @decoders list, and also implicitly retains full original message for virus checking, equivalent to having a regular expression /^MAIL$/ in a @keep_decoded_original_maps list; prompted by Bill Landry; With this setting, you will also need to make sure that you have clamd (and any other virus scanners you might use) set to enable its decoding and dearchiving functionality (see clamd.config setting). For more details about what prompted this change, see the message string at http://marc.info/?t=117951293700001&r=1&w=2 Bill _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
