I'm getting spam passing through that should be being blocked by
ClamAV. If I run clamscan or clamdscan on the file in my spam folder,
it gets picked up as a virus.
But they are being stopped by ASSP & ClamAV, so ASSP applies all its
other checks (and correctly recognises it as spam).
Here is an example header:
From: [EMAIL PROTECTED]
Subject: [SPAM]: Investment / Partnership Relationship.
Date: 25 July 2007 10:18:02 PM
To: [EMAIL PROTECTED]
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: from ASSP-nospam (localhost [127.0.0.1]) by
mail.bordo.com.au (Postfix) with SMTP id 952CFB81C38 for
<[EMAIL PROTECTED]>; Wed, 25 Jul 2007 22:18:08 +1000 (EST)
Received: from bay0-omc2-s6.bay0.hotmail.com ([65.54.246.142]
helo=bay0-omc2-s6.bay0.hotmail.com) by ASSP-nospam; 25 Jul 2007
22:17:57 +1000
Received: from BLU104-W11 ([10.6.55.46]) by bay0-omc2-
s6.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Wed, 25
Jul 2007 05:18:05 -0700
Message-Id: <[EMAIL PROTECTED]>
Content-Type: multipart/alternative;
boundary="_6be146f7-9431-4c98-95aa-47c33bfea8c4_"
X-Originating-Ip: [213.185.118.201]
Importance: Normal
Mime-Version: 1.0
X-Originalarrivaltime: 25 Jul 2007 12:18:05.0814 (UTC) FILETIME=
[DAC5B160:01C7CEB5]
X-Assp-Delay: not delayed (noDelay IP); 25 Jul 2007 22:17:57 +1000
X-Assp-Score: 45 (DNSBL-neutral)
X-Assp-Score: 25 (Bayesian)
X-Assp-Received-Dnsbl: neutral (dnsbl-2.uceprotect.net->127.0.0.2; )
X-Assp-Received-Uribl: pass
X-Assp-Tag: MessageLimit
X-Assp-Envelope-From: [EMAIL PROTECTED]
X-Assp-Version: 1.3.4(12)
X-Assp-Redlisted: Yes
X-Assp-Spam: YES
X-Smsmse-Scl: 9
X-Assp-Id: id-5877c6365
X-Assp-Spam-Reason: Message Limit
X-Assp-Totalscore: 70
Running clamdscan on the file:
/usr/local/bin/clamdscan /Applications/assp-1/spam/8995.eml
/Applications/assp-1/spam/8995.eml: Email.ScamL.Gen079.Sanesecurity.
06053105 FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.362 sec (0 m 0 s)
As you can see from my clamd.log, some emails are being trapped by
ClamAV (being called by ASSP):
Fri Jul 20 02:04:35 2007 -> stream 1240: Email.Malware.Sanesecurity.
07070300 FOUND
Mon Jul 23 15:36:57 2007 -> stream 1300:
Email.Stk.Gen592.Sanesecurity.07071801.pdf FOUND
Mon Jul 23 18:55:15 2007 -> stream 2032:
Email.Stk.Gen592.Sanesecurity.07071801.pdf FOUND
Mon Jul 23 21:37:14 2007 -> stream 1157: Email.Malware.Sanesecurity.
07070300 FOUND
Mon Jul 23 22:22:06 2007 -> stream 1578:
Email.Spam.Gen985.Sanesecurity.07071100 FOUND
Mon Jul 23 22:22:15 2007 -> stream 1838:
Email.Spam.Gen985.Sanesecurity.07071100 FOUND
Tue Jul 24 05:25:59 2007 -> stream 1672:
Email.Stk.Gen592.Sanesecurity.07071801.pdf FOUND
Tue Jul 24 08:18:25 2007 -> stream 2031:
Email.Spam.Gen985.Sanesecurity.07071100 FOUND
Tue Jul 24 11:56:32 2007 -> stream 1668: Email.Malware.Sanesecurity.
07070300 FOUND
Tue Jul 24 23:38:12 2007 -> stream 1835:
Email.Stk.Gen592.Sanesecurity.07071801.pdf FOUND
Wed Jul 25 02:45:30 2007 -> stream 1686:
Email.Stk.Gen592.Sanesecurity.07071801.pdf FOUND
Wed Jul 25 04:08:51 2007 -> stream 1521: Email.Malware.Sanesecurity.
07070300 FOUND
Wed Jul 25 13:39:59 2007 -> stream 1413: Email.Malware.Sanesecurity.
07070300 FOUND
(For anyone wondering if the Sanesecurity files are worth installing,
look at the above!)
DoBlockExes is 0
UseAvClamd is set
NoScanRe is empty
ScanWL is set
ClamAV Bytes is 100000
Is there something that is stopping ClamAV being invoked under
certain circumstances?
Running 1.3.4 (12).
Thanks,
James.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user
