Phil Chambers wrote: > > I was not aware that there was any way to get clamd to do anything other than > check the content of messages. The Sanesecurity signatures are just a set of > phishing and scam signatures for ClamAV which are used in addition to the > standard ClamAV ones. > > Given that ClamAV reports finding "Email.Spam.Sanesecurity.Url_269", for > example, how do I look up the signature that clamd is using for that? >
Grep that string from the Sane Security patterns. This one is in scam.ndb and produces this: Email.Spam.Sanesecurity.Url_269:4:*:4E6F206D6F72652070616964207365782C20776974682061203920696E636820636F636B20776F6D656E2077696C6C2077616E7420796F75206576657279206461792E Copy the hex string beginning with 4E to the end and paste it into the right hand window at this location: http://nickciske.com/tools/hex.php Then click decode. You must do this because if I paste in the solution here many mail systems will reject this post. While the name suggests it is a URL sig it is not. It is a simple regex pattern of clearly objectionable content. It is not the kind of thing ClamAV should miss the first time through unless there is a mime decode error or other policy that prevents scanning messages from the particular source to to a particular recipient. dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
