I am marking and passing malware e-mails to a special review account for
possible listing in URIBL Black (in their malware cluster). Just
curious to know why amavisd would write all of the duplicate malware
headers to a single message:
X-Spam-Status: Yes, score=56 required=5
tests=[AV:Email.Malware.Sanesecurity.07051800=7.5, MY_TEST=3.5,
AV:Email.Malware.Sanesecurity.07051800=7.5,
AV:Email.Malware.Sanesecurity.07051800=7.5,
AV:Email.Malware.Sanesecurity.07051800=7.5,
AV:Email.Malware.Sanesecurity.07051800=7.5,
AV:Email.Malware.Sanesecurity.07051800=7.5,
AV:Email.Malware.Sanesecurity.07051800=7.5]
When I scan the same raw message file with clamdscan I only see one result:
=====
clamdscan /home/amavis/test.eml
/home/amavis/test.eml: Email.Malware.Sanesecurity.07051800 FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.310 sec (0 m 0 s)
=====
I also periodically see the same with phish e-mail, too:
X-Spam-Status: Yes, score=26 required=5
tests=[AV:Phishing.Email.SSL-Spoof=7.5, MY_TEST=3.5,
AV:Phishing.Email.SSL-Spoof=7.5, AV:Phishing.Email.SSL-Spoof=7.5]
And with clamdscan directly on the raw message file:
=====
clamdscan /home/amavis/test2.eml
/home/amavis/test2.eml: Phishing.Email.SSL-Spoof FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.084 sec (0 m 0 s)
=====
Again, it not a big deal, just more of a curiosity question.
Thanks,
Bill
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
