Spam Administrator wrote: > I have recently noted that database signatures of 'type 4' are not > always detected. (Often used to detect phishing or greeting card scams). > > If I use clamscan on a file which should return a positive result, it > works, but if I send that file through an e-mail to myself, it is NOT > detected. > > I am using sendmail and mimedefang. The mimedefang is calling clamd. > > On another server, I'm using MPP with CommuniGate and MPP provides the > interface to clamd. It behaves the same was as the sendmail server. > Manual detection works, but daemon processing does not detect the type 4 > signatures. > > Any ideas? > > Dan Zachary
Yes, check the archives. This is a known issue it seems with wrapper programs like mimedefang, mailscanner, amavisd-new, etc., that break messages up into decoded mime parts and send the individual parts to clamd for scanning. The type 4 signatures want to see the whole message in its entirety, not just the individual decoded parts. I don't know about mimedefang, but amavisd-new has a settings that allows it to send just the separate decode parts, the decoded parts and the entire message, or just the entire message. Check to see if mimedefang can be configures to either send just the entire message to clamd, or to at least send the decoded parts as well as the entire message. That should solve the problem for you. Bill _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
