Hi there, On Mon, 19 Oct 2020, Pablo Murillo wrote:
I don't know if the PNG error is present from day 1 or not
When exactly was day 1? Do you have any evidence that your virus scanning has ever worked at all? Have you tried to test it e.g. by sending things like the EICAR test file? https://en.wikipedia.org/wiki/EICAR_test_file Some of the references at the foot of that page may be useful to you.
I'm not using milter, I'm using SimScan ...
I'm not sure how much help I'll be able to give you with Simscan. The little searching I've done about it doesn't fill me with confidence. While writing my previous mail it crossed my mind to ask if you knew that your version of Spamdyke was six years old, but I decided to let it pass. But I do now think that you need to look at your toolchain. Do you know exactly which version of Simscan you're using? It seems there are several. Looking at https://sourceforge.net/projects/simscan/files/ for example, Simscan was last updated on October 29th 2007. Looking at https://github.com/qmail/simscan it was cleaned up and 'modernized' around 2014 but the changelog looks rather sparse from 2007 onwards. I had a quick look for the alleged Simscan mailing list archives and failed to find anything. Have you applied any patches to Simscan? See for example https://freebsdrocks.net/simscan.shtml The last 13 years has seen ClamAV continuously developed, but not Simscan. I can't point to evidence of incompatibility between the two, but it's possible that some may have arisen. The ClamAV team will continue development. As far as compatibility testing goes I don't know how high Simscan will be on their priority list. Micah will probably be able to tell us if they test with it - Micah? It appears that Simscan may use 'ripmime' to split up a mail into its components and write them to files, before scanning with clamd using the clamd CONTSCAN command. There are other ways to go about it and I wonder if it might be where the problem lies. You might want to look for the possibility of saving the temporary files which Qmail writes for clamd to scan, so that you can look at them, and for example scan them manually. AFAICT the latest release of 'ripmime' is from 2011, nearly a decade old. All the links given in 'Support options' at https://pldaniels.com/ripmime/ seem to be dead, empty or irrelevant and looking at https://github.com/inflex/ripMIME/blob/master/CHANGELOG virtually nothing has been done to it since 2008. In the past, whenever I've tried to use software with histories like this it's been a very unhappy experience. It's possible that such old software has no vulnerabilities, but it's also possible that it's at least as big a threat as many of those that you're trying to protect against by using ClamAV.
I'm sending clamd.conf and 8 minutes off log (clamd.log) attached
It might help to see more of the log - complete from restart, and with a few controlled emails only so that it's easy to see what's going on; but I wonder if it's worth the trouble of investigating until you've taken a step back and given your toolchain some thought. If, despite the risks I've pointed out, you are comfortable with it, then I'd suggest you set up a test-bed system which has no Internet connection and push some local mail through it to see how it behaves, of course watching the logs carefully all the while. Have you asked about this on a Qmail mailing list? -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
