I'm forwarding (minus irrelevant fragments) Farit's message
(details of headers are modified to hide names etc.).
The problem is in not supporting by Clamav messages in CommuniGate Pro
mail format.
I'm attaching a beginning of an example message.
----- Forwarded message from [EMAIL PROTECTED] -----
Date: Sat, 29 Nov 2003 16:51:21 +0500 (YEKT)
[...]
Tomasz Papszun wrote:
>
> VBS.Redlof.Encoded _is_ detected by Clamav in your sample.
> Well, not directly, but it really is.
>
> A possible reason of failure of detecting it, is a strange format of the
> sample email message.
> Just remove these starting lines:
>
> P I 27-11-2003 14:12:46 0000 ____ ____ <[EMAIL PROTECTED]>
> O T
> S SMTP [123.456.789.123]
> R W 27-11-2003 14:12:46 0000 ____ _FY_ <[EMAIL PROTECTED]>
>
>
> up to "Received: from [123.456.789.123] (HELO host)".
> Then:
>
> $ clamscan --mbox VBS.Redlof.msg
> VBS.Redlof.msg: VBS.Redlof.Encoded FOUND
>
That is CommuniGate Pro mail format, it adds additional lines with sender,
recipients, etc. to each message and Clamav by default can't unmime them
(Kaspersky and Dr.Web, for example, can). Certainly, I can create a copy
of each message without headers and then send it to clamav or use tcp
socket, but that's not the best way to go.
Would you mind including unmiming messages in that mail format? Currently
I'm using uudeview for this purpose, and the only problem I have is with
VBS.Redlof.
If it understands this format, I would also like to be able to reject
messages with some file extensions: .pif, .scr, etc. So av tool will
reject a lot of infected messages before they are detected as viruses.
Farit.
----- End forwarded message -----
--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
[EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros.
[EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner
P I 27-11-2003 14:12:46 0000 ____ ____ <[EMAIL PROTECTED]>
O T
S SMTP [213.189.224.212]
R W 27-11-2003 14:12:46 0000 ____ _FY_ <[EMAIL PROTECTED]>
Received: from [123.456.789.123] (HELO host)
by domain.ru (CommuniGate Pro SMTP 4.1.8)
with SMTP id 10659246 for [EMAIL PROTECTED]; Thu, 27 Nov 2003 19:12:47 +0500
Message-ID: <[EMAIL PROTECTED]>
From: Sender <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Topic
Date: Thu, 27 Nov 2003 19:11:15 +0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0006_01C3B51A.3AA0CDE0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
This is a multi-part message in MIME format.
------=_NextPart_000_0006_01C3B51A.3AA0CDE0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0007_01C3B51A.3AA0CDE0"
------=_NextPart_001_0007_01C3B51A.3AA0CDE0
Content-Type: text/plain;
charset="windows-1251"
Content-Transfer-Encoding: quoted-printable
[...]
