----- Original Message ----- From: "R. Scott Perry" <[EMAIL PROTECTED]>
> >If the virus scanner were at fault (because of a decoding issue) then I have > >to ask again, why can TrendMicro detect the virus when scanning the raw > >D*.SMD file, but not when sent to it by Declude Virus? > > You would have to ask them. Declude Virus is decoding the E-mail properly. Hmmm, I thought that since Declude Virus does the decoding and scanner calls, that you might be interested it testing this yourself... > My guess is that they are *not* doing any decoding (which would make sense, > as that is the responsibility of the mailserver AV program). Therefore, > because the spam is malformed (saying that it is encoded, when it is > actually not), they are seeing what the spammer intended to be seen (the > actual spam). However, when decoding is done, they see a malformed E-mail. I had reported the same kind of issue with amavisd-new (which does much the same as Declude) almost a year ago (see http://sourceforge.net/mailarchive/message.php?msg_id=6775949), and Mark Martinec (the developer) eventually decided to provide a configuration option that allows mail admins the ability to send not only the decoded message segments to the scanners, but also the raw message, as well (see http://sourceforge.net/mailarchive/message.php?msg_id=7146161). Here is the most recent config option in amavisd-new: @keep_decoded_original_maps = (new_RE( qr'^MAIL$', # retain full original message for virus checking (can be slow) qr'^MAIL-UNDECIPHERABLE$', # retain full mail if it contains undecipherables qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, qr'^Zip archive data', )); Might you consider such an option with Declude Virus? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
