Am 15.02.2017 um 13:10 schrieb TBits.net, Mailinglists:
On 2017-02-13 15:07, TBits.net, Mailinglists wrote:
On 2017-02-13 14:39, Reindl Harald wrote:
Am 13.02.2017 um 14:33 schrieb TBits.net, Mailinglists:
On 2017-02-13 13:19, Reindl Harald wrote:
Am 13.02.2017 um 13:05 schrieb TBits.net, Mailinglists:
Hi @all,
clamav-milter identify an email as infected by
Heuristics.Phishing.Email.SSL-Spoof.
This is correct, but when I scan this file in the quarantine with
clamdscan or clamscan the file is clean.8154
It seams that the clamscan or clamdscan do not scan this file for
Phishing.
Is it possible to scan a text file as a mail to identify with
phishing?
clamdscan is using clamd the same way as "clamav-milter" and so if
it's the same clamd configuration it behaves identically
clamav-milter identify it as Heuristics.Phishing.Email.SSL-Spoof but in
clamdscan it is clean.
And I think the result should be the same
they are - proven by a webinterface where i upload eml files at pass
them through spamd and clamdscan using two different clamd-instances
which are used by clamav-milter and/or spamassassin
are you 100% certain that clamdscan is using the identical clamd
instance with identical configuration?
Yes only one instance of clamd is running.
I scan only the quarantined mail which was hold by clamav-milter before.
Tested under different servers, on all servers are the same result.
any idea how I can scan a text file as email, that phishing attempts are
identified?
if you send the code via telnet to the smtp server clamav-milter
identify it as "infected by Heuristics.Phishing.Email.SSL-Spoof"
If you scan a file with this code, clamdscan identify it as clean.
--- snip---
subject: test
--_000_ed9530a770f34b59940e38cc79be07c0SE011093_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<a href="http://www.example.de/";>https://www.example.de;
--_000_ed9530a770f34b59940e38cc79be07c0SE011093_-
---snip---
a good start would be to provide a *unchanged* sample .eml file so that
somebody can reproduce it - at least unmangeled eml files saved with
thunderbird and piped through clamdscan behave 100% identical to milter
usage because there is technical no difference at all
so most likely you file is just recognized as email
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
