> nyx ~ # dspam --user ste...@bajic.ch --deliver=summary --stdout < > jari.juslin.eml > X-DSPAM-Result: ste...@bajic.ch; result="Spam"; class="Virus"; > probability=1.0000; confidence=1.00; signature=4,4c1680df18449748112346 > Return-Path: <lawbreak...@seawolfchile.cl> > X-Original-To: z...@localhost > Delivered-To: z...@localhost > Received: from terra.nblnetworks.fi (localhost [127.0.0.1]) > by terra.nblnetworks.fi (Postfix) with ESMTP id C42669B243 > for <z...@localhost>; Mon, 14 Jun 2010 15:52:03 +0300 (EEST) > Received: from mail.netsonic.fi [194.29.192.90] > by terra.nblnetworks.fi with IMAP (fetchmail-6.3.9-rc2) > for <z...@localhost> (single-drop); Mon, 14 Jun 2010 15:52:03 +0300 > (EEST) > Received: from netsonic.fi ([unix socket]) > by mail.netsonic.fi (Cyrus v2.3.7-Invoca-RPM-2.3.7-4mke) with LMTPA; > Mon, 14 Jun 2010 16:51:58 +0300 > X-Sieve: CMU Sieve 2.3 > Received: from leimasin.iki.fi (leimasin.iki.fi [212.16.98.49]) > by netsonic.fi (Postfix) with ESMTP id 07D901F11AA0 > for <nanos...@netsonic.fi>; Mon, 14 Jun 2010 16:51:57 +0300 (EEST) > Received: from ikiaikainen.iki.fi (r...@ikiaikainen.iki.fi [212.16.98.54]) > by leimasin.iki.fi (8.13.8/8.13.4) with ESMTP id o5ECoqxk002492 > for <jari.jus...@asetus1.silppuri.iki.fi>; Mon, 14 Jun 2010 15:50:52 > +0300 (EEST): > Received: from jrkh.qtrduaf.com ([83.153.36.71]) > by ikiaikainen.iki.fi (8.14.4/8.14.4) with SMTP id o5ECoogw018334 > for <jari.jus...@iki.fi>; Mon, 14 Jun 2010 15:50:51 +0300 (EEST) > Message-ID: <4c1624e1.9060...@horngshiue.com> > Date: Mon, 14 Jun 2010 14:49:21 +0200 > From: Brindamour Siew <lawbreak...@seawolfchile.cl> > MIME-Version: 1.0 > To: Baillet Segerson <jari.jus...@iki.fi> > Subject: [SPAM] "We will keep the sun > Content-Type: application/octet-stream; name="latterly.rtf" > Content-Transfer-Encoding: base64 > X-Spam-Status: No, score=2.2 required=5.0 tests=RCVD_IN_BL_SPAMCOP_NET > autolearn=disabled version=3.2.5 > X-Spam-Level: ** > X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on leimasin.iki.fi > X-DSPAM-Result: Virus > X-DSPAM-Processed: Mon Jun 14 21:19:59 2010 > X-DSPAM-Confidence: 1.0000 > X-DSPAM-Improbability: 1 in 98689409 chance of being ham > X-DSPAM-Probability: 1.0000 > X-DSPAM-Signature: 4,4c1680df18449748112346 > > e1xydGYxXGFuc2lcYW5zaWNwZzEyNTFcZGVmZjBcZGVmbGFuZzEwNDl7XGZvbnR0Ymx7XGYw > XGZzd2lzc1xmcHJxMlxmY2hhcnNldDIwNHtcKlxmbmFtZSBBcmlhbDt9QXJpYWwgQ1lSO317 > XGYxXGZzd2lzc1xmY2hhcnNldDIwNHtcKlxmbmFtZSBBcmlhbDt9QXJpYWwgQ1lSO319DQp7 > XGNvbG9ydGJsIDtccmVkMFxncmVlbjBcYmx1ZTI1NTtccmVkMFxncmVlbjEyOFxibHVlMDt9 > DQp7XCpcZ2VuZXJhdG9yIE1zZnRlZGl0IDQuNS4zMC4zOTc0O31cdmlld2tpbmQ0XHVjMVxw > YXJkXHNhMjAwXHNsMjc2XHNsbXVsdDFcbGFuZzlcZjBcZnMzMntcZmllbGR7XCpcZmxkaW5z > dHtIWVBFUkxJTksgImh7XCpcZGQgNC41LjMwLjM5NzQ7fXR0cDovL2NsdWJraW5nLmluZm8i > fX17XGZsZHJzbHR7XHVsXGNmMSBodHRwOi8vY2x1YmtpbmcuaW5mb319fVxmMFxjZjFcYlxm > czMyICAtIE9OTElORSBDQVNJTk8hXHBhcg0KXGxpbmVcY2YyXGJcZjBcZnMyOCBWSVAgQ0xV > QiBDYXNpbm8gaXMgYSBncmVhdCBvbmxpbmUgY2FzaW5vIHRoYXQgb2ZmZXJzIHRoZSB1bmlx > dWUgY29tYmluYXRpb24gb2YgdG9wIHF1YWxpdHkgZ2FtZXMsIGhpZ2ggcGF5b3V0cyBhbmQg > YSAyNC83IHByb2Zlc3Npb25hbCBjdXN0b21lciBzdXBwb3J0LlxwYXINClxwYXIxMDAgcHJv > Z3Jlc3NpdmUgZ2FtZXMgd2l0aCB0b3dlcmluZyBqYWNrcG90cywgd2hpY2ggYXJlIHJlYWR5 > IHRvIGV4cGxvZGUgYW5kIGNhbiBtYWtlIG11bHRpLW1pbGxpb25haXJlcyBvdXQgb2YgVklQ > IENMVUIgcGxheWVycyEgRG93bmxvYWQgdGhlIHNvZnR3YXJlIGZvciBmcmVlLCBwaWNrIHVw > IHRoZSBpbmNyZWRpYmxlICQ3NzcgV2VsY29tZSBCb251cyBvbiB5b3Ugd2F5IGluIGFuZCBz > dGFydCBwbGF5aW5nICYgd2lubmluZyFccGFyDQp9DQoA > > !DSPAM:4,4c1680df18449748112346! > > nyx ~ # > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > See? The message is tagged as Virus infected. I have additional signatures in > ClamAV. Lets do the scan again but this time from the command line: > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > nyx ~ # clamscan --verbose --stdout --scan-mail=yes jari.juslin.eml > Scanning jari.juslin.eml > jari.juslin.eml: Sanesecurity.Casino.11006.UNOFFICIAL FOUND > > ----------- SCAN SUMMARY ----------- > Known viruses: 1033621 > Engine version: 0.96.1 > Scanned directories: 0 > Scanned files: 1 > Infected files: 1 > Data scanned: 0.00 MB > Data read: 0.00 MB (ratio 0.00:1) > Time: 5.097 sec (0 m 5 s) > nyx ~ # > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > It takes a bunch of seconds to load clamscan but that is because I have over > 1 Million signatures in ClamAV. DSPAM does not use clamscan but uses the > CalmAV in daemon mode so in real environment that processing would be faster. > > IMHO attachments are better handled in something else then DSPAM. Off course > I could enable DSPAM to parse a bunch of well known text formats and allow > DSPAM to tokenize their content but I really think that this is not such a > biright idea. >
Hi, we've been hit by this kind of spam pretty hard. My version of ClamAV doesn't detect them as viruses. The 'solution' I used was to first decode the attachement to plain text, add it as a header and only then pass it to dSpam. It's not universal, but our false negatives counts are much much lower. Jiri Novosad ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Dspam-user mailing list Dspam-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspam-user
