----- Original Message ----- 
From: "R. Scott Perry" <[EMAIL PROTECTED]>

> >If the virus scanner were at fault (because of a decoding issue) then I
have
> >to ask again, why can TrendMicro detect the virus when scanning the raw
> >D*.SMD file, but not when sent to it by Declude Virus?
>
> You would have to ask them.  Declude Virus is decoding the E-mail
properly.

Hmmm, I thought that since Declude Virus does the decoding and scanner
calls, that you might be interested it testing this yourself...

> My guess is that they are *not* doing any decoding (which would make
sense,
> as that is the responsibility of the mailserver AV program).  Therefore,
> because the spam is malformed (saying that it is encoded, when it is
> actually not), they are seeing what the spammer intended to be seen (the
> actual spam).  However, when decoding is done, they see a malformed
E-mail.

I had reported the same kind of issue with amavisd-new (which does much the
same as Declude) almost a year ago (see
http://sourceforge.net/mailarchive/message.php?msg_id=6775949), and Mark
Martinec (the developer) eventually decided to provide a configuration
option that allows mail admins the ability to send not only the decoded
message segments to the scanners, but also the raw message, as well (see
http://sourceforge.net/mailarchive/message.php?msg_id=7146161).

Here is the most recent config option in amavisd-new:

@keep_decoded_original_maps = (new_RE(
  qr'^MAIL$',   # retain full original message for virus checking (can be
slow)
  qr'^MAIL-UNDECIPHERABLE$',  # retain full mail if it contains
undecipherables
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
  qr'^Zip archive data',
));

Might you consider such an option with Declude Virus?

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.

Reply via email to