The blank line ends the header section. In a simple message it would typically
follow the Subject: line.
dp
On 3/24/16 6:44 AM, Dave McMurtrie wrote:
On Thu, 2016-03-24 at 11:05 +0000, Dave McMurtrie wrote:
Hi,
I created a local pdb database so I can catch phishing attempts when
URLs in an email display our domain name but actually link to a
malicious URL. In testing, I found something that I don't understand.
When I run clamdscan on a test message it correctly detects a spoofed
domain in the message. When my MTA connects to the clamd socket and
asks it to scan the same exact message, it does not detect it.
Replying to myself here and hoping one of the Clam developers can clue
me in.
I started to look at the code to figure out why it's not identifying
this as type Mail when my MTA asks clamd to scan it, but it does when I
manually run clamdscan. After decoding all the "Mail" types from
filetypes_int.h, it appears as though the following matches should
identify something as "Mail":
>From
Date:
Delivered-To:
Delivery-date:
Envelope-to:
Message-ID:
Message-Id:
Subject:
To:
X-Apparently-To:
X-Envelope-From:
X-Original-To:
X-Real-To:
X-Sieve:
X-UIDL:
My sample message has several of those headers, but none match when my
MTA invokes clamd. Oddly, through dumb luck testing with telnet
connecting to my MTA I seem to have figured out what's going on.
clamd appears to only match any of these if there's a blank line as the
first line of data I send.
Meaning, if I do this it won't be identified as Mail:
mail from:[email protected]
250 2.1.0 [email protected]... Sender ok
rcpt to:[email protected]
250 2.1.5 [email protected]... Recipient ok
data
354 Enter mail, end with "." on a line by itself
Date: Thu, 24 Mar 2016 06:41:42 -0400
...snipped for brevity...
However, if I do this it will be identified as Mail and my pdb signature
works correctly:
mail from:[email protected]
250 2.1.0 [email protected]... Sender ok
rcpt to:[email protected]
250 2.1.5 [email protected]... Recipient ok
data
354 Enter mail, end with "." on a line by itself
Date: Thu, 24 Mar 2016 06:41:42 -0400
...snipped for brevity...
Given that smtp protocol does not require (or even mention) that the
first line of the DATA phase will be a crlf, I'm not sure how ClamAV
would ever identify anything as type Mail.
Am I doing something wrong here? I assume I must be, because I can't be
the only person attempting to use a pdb database to do this.
Thanks!
Dave
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
