Hi, System: debian, clamav 0.93.3.dfsg-1, amavisd-new 1:2.6.1.dfsg-1.
I got the following in my log running amavis and clamav. The virusdb was up to date when it happened (by freshclam). The receiver is an email address at my domain and the mail is directly forwarded to the hotmail address after the scan. The receiving server telling me it contains a virus is my ISP's smarthost which I must send via. When the ISP finds this virus mail, they will block my internet connection until I call their abuse department. I searched for Phishing.Heuristics.Email.SpoofedDomain in the clamav- virusdb archive, and it seems that it does not exist? Unfortunately I don't have the infected mail saved... The same thing happens with Email.Trojan-2 (which does exist in the db), they are scanned and reported as CLEAN, but the ISP's smarthost blocks it due to the detected virus. Any ideas? Aug 24 20:26:08 moria postfix/smtpd[31338]: connect from localhost[127.0.0.1] Aug 24 20:26:08 moria postfix/smtpd[31338]: E9FA38AC12E: client=localhost[127.0.0.1] Aug 24 20:26:08 moria postfix/cleanup[31322]: E9FA38AC12E: message-id=<[EMAIL PROTECTED] > Aug 24 20:26:08 moria postfix/smtpd[31338]: disconnect from localhost[127.0.0.1] Aug 24 20:26:08 moria postfix/qmgr[6748]: E9FA38AC12E: from=<[EMAIL PROTECTED] >, size=3331, nrcpt=1 (queue active) Aug 24 20:26:08 moria postfix/cleanup[31322]: F15EC8AC158: message-id=<[EMAIL PROTECTED] > Aug 24 20:26:08 moria postfix/qmgr[6748]: F15EC8AC158: from=<[EMAIL PROTECTED] >, size=3460, nrcpt=1 (queue active) Aug 24 20:26:08 moria postfix/local[31340]: E9FA38AC12E: to=<[EMAIL PROTECTED] >, relay=local, delay=0.04, delays=0.02/0.01/0/0.01, dsn=2.0.0, status=sent (forwarded as F15EC8AC158) Aug 24 20:26:08 moria postfix/qmgr[6748]: E9FA38AC12E: removed Aug 24 20:26:09 moria amavis[30702]: (30702-10) Passed CLEAN, [87.170.100.175] [87.170.100.175] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED] >, Message-ID: <[EMAIL PROTECTED]>, mail_id: CwcGFkEZbg5G, Hits: 5.271, size: 2645, queued_as: E9FA38AC12E, 11194 ms Aug 24 20:26:09 moria postfix/smtp[31323]: A6AD68AC125: to=<[EMAIL PROTECTED] >, relay=127.0.0.1[127.0.0.1]:10024, delay=12, delays=1.1/0.01/0.01/11, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=30702-10, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as E9FA38AC12E) Aug 24 20:26:09 moria postfix/qmgr[6748]: A6AD68AC125: removed Aug 24 20:26:10 moria postfix/smtp[31311]: F15EC8AC158: to=<[EMAIL PROTECTED] >, orig_to=<[EMAIL PROTECTED]>, relay=ch- smtp02.sth.basefarm.net[80.76.149.213]:25, delay=1.4, delays=0.01/0/0.17/1.2, dsn=4.0.0, status=SOFTBOUNCE (host ch- smtp02.sth.basefarm.net[80.76.149.213] said: 550 This message contains a virus (Phishing.Heuristics.Email.SpoofedDomain) (in reply to end of DATA command)) /jonas _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
