Jeff Thurston wrote: >> I'm using the sanesecurity and MSRBL files too and are getting the >> same spam. >> >> I'll start sending them to Steve to incorporate. >> >> James. >> _______________________________________________ >> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >> http://lurker.clamav.net/list/clamav-users.html > > Turns out this may be an Amavis-new related issue, see below: > > Jeff Thurston wrote: >>> -----Original Message----- >>> From: Bill Landry [mailto:[EMAIL PROTECTED] >>> Sent: Thursday, July 19, 2007 3:31 PM >>> To: Jeff Thurston >>> Cc: 'Steve Basford' >>> Subject: Re: sanesecurity sigs >>> >>> Jeff Thurston wrote: >>>>> -----Original Message----- >>>>> From: Bill Landry [mailto:[EMAIL PROTECTED] >>>>> Sent: Thursday, July 19, 2007 3:25 PM >>>>> To: Steve Basford >>>>> Cc: Jeff Thurston >>>>> Subject: Re: sanesecurity sigs >>>>> >>>>> Steve Basford wrote: >>>>>> Hi Guys, >>>>>> >>>>>> Just noticed the posts regarding my sigs. >>>>>> >>>>>> A lot of the common cards should be caught by my sigs... but the >>>>>> real heavy hitter ones, I know I added official sigs to the >>>>>> database to catch those.. >>>>>> >>>>>> So, just a thought for Bill, is it something to do with passing >>>>>> the >>> full >>>>>> message body to clamav, like the problem you had with your >>>>>> settings and the blue-mountain card... as the whole message body >>>>>> is normally needed to pickup type 4 signatures, whereas >>> the >>>>>> type 3 signatures (test sig) will be found okay? >>>>>> >>>>>> Might not be this, as it's near bed-time for me ;) >>>>>> >>>>>> Good luck! >>>>>> >>>>>> Steve >>>>> That could be the problem, depending on how Jeff is passing the >>> messages >>>>> to clamd. Jeff, are you possibly using amavisd-new? If not, how >>>>> do >>> you >>>>> pass messages from your MTA to clamd? Is the entire message sent >>>>> to clamd for scanning, or is the message decoded first and the >>>>> individual decoded mime parts sent to clamd for scanning? >>>>> >>>>> Bill >>>> I am using Amavis-new. >>> Okay, then that's most likely the problem. What version of >>> amavisd-new are you running? >>> >>> Steve, I'll send you an update later. Probably time to put that >>> amavisd-new/clamav FAQ together... >>> >>> Bill >> Postfix 2.2.10-1ubuntu0.1 >> Amavisd-new 2.3.3-3 >> ClamAV 0.90.3 >> >> Ubuntu Server 6.06.1. >> >> Any suggestions you have or changes I should make would be greatly >> appreciated. I would like to continue with amavis-new if possible - I >> am relatively comfortable with its configuration etc. > > Jeff, with version 2.3.x of amavisd-new, you will need to enable the > following section in your amavisd.conf file and then reload amavisd: > > [EMAIL PROTECTED] = (new_RE( > # qr'^MAIL$', # retain full original message for virus checking (can be > slow) > > This will cause all messages to still be decoded by amavisd-new and all the > decoded parts sent to the virus scanners for scanning, and also the full > undecoded message, as well (which is what is needed for the type 4 > SaneSecurity signatures to trigger on a message). However, if you were to > upgrade to amavisd-new version 2.5.1 or newer, you could simply enable > $bypass_decoded_parts (which is more efficient) as described in the 2.5.1 > release notes: > > - setting $bypass_decode_parts to true now also disables MIME decoding, > not just decoders/dearchivers listed in a @decoders list, and also > implicitly retains full original message for virus checking, equivalent > to having a regular expression /^MAIL$/ in a @keep_decoded_original_maps > list; prompted by Bill Landry; > > With this setting, you will also need to make sure that you have clamd (and > any other virus scanners you might use) set to enable its decoding and > dearchiving functionality (see clamd.config setting). For more details > about what prompted this change, see the message string at > http://marc.info/?t=117951293700001&r=1&w=2 > > Bill
I have this problem. The postcards are not detected with amavisd-new + clamd but then I detect them with p3scan + clamdscan _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
