Dennis Peterson wrote: > Joao S Veiga wrote: >> Hi John, >> >>> think long and hard about the combination of payments and entities which are >>> reduced to using numeric IPs in URLs. I suspect my business goes elsewhere. >> Agreed :-), but the problem is (and what has caused most of my problems) >> that if >> you have an email with the Subject: Pagamento in your mailbox file, then >> receive >> another one with the numeric href, clamav will say your mailbox is infected >> - it >> doesn't matter that the two parts of the signature are in different emails. > > This problem is also being discussed in the "Getting line numbers" thread. > The > Email.FreeGame pattern demonstrates the very bad idea of using unanchored > wildcard > expressions in regex searches. If the software is not working on an extracted > copy of > each message found in the mbox then all such unanchored searches will crawl > to the > end of the mbox file with each invocation and in very many cases that is a > lot of > file to be crawling. If clamav is not treating mbox files as tables of > rfc-822 > messages then it is a pretty poor choice of tools for scanning them.
I've been following this discussion for the past few days, and I got to ask why scan an mbox file in the first place? I realize that if one does choose to scan an mbox file, then the scanner should do the right thing and consider each message within the mbox as a separate file. However, if one is scanning messages at transport time, why would they need to scan the mbox file? If one is not scanning at transport time, then since the infected message has already been delivered, it could very well be that it has also executed it's payload and scanning the mbox file after-the-fact is too late. Bill _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
