Mark Martinec wrote: > Perhaps m...@customer.tld has bypass_virus_checks while o...@mailbox.tld > does not? Elevated log level would tell. (but see further on)
No, that's what we immediately verified - as it's the most obvious explaination. > Having qr'^MAIL$' in @keep_decoded_original_maps seems reasonable > to me too. If the 'Phishing.Heuristics.Email.SpoofedDomain' test > in ClamAV checks a mail header section, the absence of qr'^MAIL$' > would explain what you are seing. > >> But as run_av does not even be called for the decoded MIME parts >> that's probably not the issue here. > > What is your log level? The "run_av (ClamAV-clamd): ..." log entry > is reported at log level 2 when infected, but at log level 3 when clean. That's it! Log level is 2 - and as I didn't know this detail the posted log lines confused me. qr'^MAIL$' would have been the solution if the log line has been there - but is wasn't. But with this infor- mation the whole thing changes, it IS the solution. Thank you very much Mark! Thank you for your immediate and precise reply - and for all the great work you're doing for this project! Can't wait to drink some beer with you in Berlin ;-) Cheers, Thomas ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
