[qmailtoaster] clamav rejection, logs show normal delivery

Tue, 05 Sep 2006 12:59:37 -0700

It appears to me that when clamav detects a virus and simscan rejects it, the logs appear to indicate that the message was delivered. At least they appear normal. 

I sent the eicar virus signature to a toaster, and it said the following
smtp log:
2006-09-05 12:08:15.448619500 tcpserver: pid 26519 from 130.13.157.174
2006-09-05 12:08:15.448621500 tcpserver: ok 26519 spin4:10.0.1.70:25 :130.13.157.174::52293 2006-09-05 12:08:18.233107500 CHKUSER accepted sender: from <[EMAIL PROTECTED]::> remote <doris.shubes.net:unknown:130.13.157.174> rcpt <> : sender accepted 2006-09-05 12:08:18.389119500 CHKUSER accepted rcpt: from <[EMAIL PROTECTED]::> remote <doris.shubes.net:unknown:130.13.157.174> rcpt <[EMAIL PROTECTED]> : found existing recipient 2006-09-05 12:08:22.026868500 simscan:[26519]:CLEAN (4.00/12.00):3.5269s:test virus:130.13.157.174:: 
2006-09-05 12:08:22.632250500 tcpserver: end 26519 status 0

clamd log:
2006-09-05 12:08:19.227883500 /home/qmail/simscan/1157483298.501702.26521/msg.1157483298.501702.26521: OK 2006-09-05 12:08:19.229089500 /home/qmail/simscan/1157483298.501702.26521/addr.1157483298.501702.26521: OK 2006-09-05 12:08:19.230662500 /home/qmail/simscan/1157483298.501702.26521/textfile0: OK 2006-09-05 12:08:19.233147500 /home/qmail/simscan/1157483298.501702.26521/textfile1: OK 2006-09-05 12:08:19.234642500 /home/qmail/simscan/1157483298.501702.26521/eicar_com.zip: OK 

Looks like the message was accepted. However, it bounced with this message:
Remote host said: 554 invalid message content  (#5.3.2)
I suppose that this might be considered proper behavior, but it falls short of what I'd expect.
1) simscan gives no indication of a virus rejection. I understand that simscan logging improvements are being considered by inter7
2) clamd's log says that eicar_com.zip is OK??? I'd certainly expect to see something other than OK.
3) According to the simscan README file, it is possible to configure simscan (at compile time) to return the name of the virus in the rejection message. Any idea why the toaster isn't doing this? 

I'm a little surprised (and disappointed) by this behavior.
--
-Eric 'shubes'

---------------------------------------------------------------------
    QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to