On Tuesday 19 Apr 2005 00:08, Chris Masters wrote: > Hi All, > > We've had some problems with ligitimate bounces coming > from qmail that contain one text/plain mime part. This > single mime part contains some error information and > then the original raw infected mail in MIME format. > > We scan emails on a part by part basis, so clam was > given the text/plain body to scan rather than the full > raw bounce mail in it's entirety. Clam (and 2 other > virus scanners) failed to find the virus within the > bounce body. > > I understand that the virus is pretty harmless in this > state but we would still like to block these > virus-bounce messages. > > So, some questions: > > 1) How dangerous are these virus-bounces?
In theory not at all, but I don't trust MUAs not to be broken so clamAV does look for and find them. > 2) Should clam detect the virus when given the > text/plain main body of the bounce message? Yes, it already does. > 3) Should clam detect the virus when given the entire > bounce message? Yes, if you have a sample which is not found, please email it to me. > 4) What other mechanisms can we use to drop these > virus-bounces? I have a (closed source) milter to do that. I run it in parallel with clamAV so that it can block bounces which don't include the complete original virus (most bounces don't include the original emails with their viruses). I can talk to you about that if you want. > Thanks for any help on this, > > Chris -Nigel _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
