On Thu, 03 Jan 2008 06:21:37 -0800 Dennis Peterson <[EMAIL PROTECTED]> wrote:
> Phil Chambers wrote: > > > > > Given that ClamAV reports finding "Email.Spam.Sanesecurity.Url_269", for > > example, how do I look up the signature that clamd is using for that? > > > > Grep that string from the Sane Security patterns. This one is in scam.ndb and > produces this: > > Email.Spam.Sanesecurity.Url_269:4:*:4E6F206D6F72652070616964207365782C20776974682061203920696E636820636F636B20776F6D656E2077696C6C2077616E7420796F75206576657279206461792E > > Copy the hex string beginning with 4E to the end and paste it into the right > hand > window at this location: > > http://nickciske.com/tools/hex.php > Thanks, that was a great help and I have made some progress. I took the name of a signature from the log which was not being rejected by exim as it arrived from the Internet but was when returning from Exchange and looked it up in scam.ndb to get: Email.Spam.Gen2111.Sanesecurity.08010217:4:*:61667465722074616b696e67205650584c The hex signature translates to 'after taking VPXL'. I configured a test instance of exim to not clean out the spool file which clamd is asked to scan (control = no_mbox_unspool in the 'malware = *' ACL). I then manually typed SMTP at the test instance of exim using telnet to inject the simple message: From: <my_address> To: <my_address> Subject: test with no_mbox_unspool Testing after taking VPXL as a signature test . The message was delivered to my Exchange account. The spool file showed what I would expect: the message header and body in a simple mbox-style text file. The signature string is in the file just as one would expect. Exim must have invoked clamd because 'control = no_mbox_unspool' and 'malware = *' are both in the same ACL and exim did not delete the spool file. Is there any way to get clamd to produce diagnostic information to prove it scanned the message in this situation? Phil. --------------------------------------- Phil Chambers ([EMAIL PROTECTED]) University of Exeter _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
