On Thu, 2016-03-24 at 11:05 +0000, Dave McMurtrie wrote: > Hi, > > I created a local pdb database so I can catch phishing attempts when > URLs in an email display our domain name but actually link to a > malicious URL. In testing, I found something that I don't understand. > > When I run clamdscan on a test message it correctly detects a spoofed > domain in the message. When my MTA connects to the clamd socket and > asks it to scan the same exact message, it does not detect it.
Replying to myself here and hoping one of the Clam developers can clue me in. I started to look at the code to figure out why it's not identifying this as type Mail when my MTA asks clamd to scan it, but it does when I manually run clamdscan. After decoding all the "Mail" types from filetypes_int.h, it appears as though the following matches should identify something as "Mail": >From Date: Delivered-To: Delivery-date: Envelope-to: Message-ID: Message-Id: Subject: To: X-Apparently-To: X-Envelope-From: X-Original-To: X-Real-To: X-Sieve: X-UIDL: My sample message has several of those headers, but none match when my MTA invokes clamd. Oddly, through dumb luck testing with telnet connecting to my MTA I seem to have figured out what's going on. clamd appears to only match any of these if there's a blank line as the first line of data I send. Meaning, if I do this it won't be identified as Mail: mail from:[email protected] 250 2.1.0 [email protected]... Sender ok rcpt to:[email protected] 250 2.1.5 [email protected]... Recipient ok data 354 Enter mail, end with "." on a line by itself Date: Thu, 24 Mar 2016 06:41:42 -0400 ...snipped for brevity... However, if I do this it will be identified as Mail and my pdb signature works correctly: mail from:[email protected] 250 2.1.0 [email protected]... Sender ok rcpt to:[email protected] 250 2.1.5 [email protected]... Recipient ok data 354 Enter mail, end with "." on a line by itself Date: Thu, 24 Mar 2016 06:41:42 -0400 ...snipped for brevity... Given that smtp protocol does not require (or even mention) that the first line of the DATA phase will be a crlf, I'm not sure how ClamAV would ever identify anything as type Mail. Am I doing something wrong here? I assume I must be, because I can't be the only person attempting to use a pdb database to do this. Thanks! Dave _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
