[Clamav-users] Unknown phishing email virus?
Hi, System: debian, clamav 0.93.3.dfsg-1, amavisd-new 1:2.6.1.dfsg-1. I got the following in my log running amavis and clamav. The virusdb was up to date when it happened (by freshclam). The receiver is an email address at my domain and the mail is directly forwarded to the hotmail address after the scan. The receiving server telling me it contains a virus is my ISP's smarthost which I must send via. When the ISP finds this virus mail, they will block my internet connection until I call their abuse department. I searched for Phishing.Heuristics.Email.SpoofedDomain in the clamav- virusdb archive, and it seems that it does not exist? Unfortunately I don't have the infected mail saved... The same thing happens with Email.Trojan-2 (which does exist in the db), they are scanned and reported as CLEAN, but the ISP's smarthost blocks it due to the detected virus. Any ideas? Aug 24 20:26:08 moria postfix/smtpd[31338]: connect from localhost[127.0.0.1] Aug 24 20:26:08 moria postfix/smtpd[31338]: E9FA38AC12E: client=localhost[127.0.0.1] Aug 24 20:26:08 moria postfix/cleanup[31322]: E9FA38AC12E: message-id=[EMAIL PROTECTED] Aug 24 20:26:08 moria postfix/smtpd[31338]: disconnect from localhost[127.0.0.1] Aug 24 20:26:08 moria postfix/qmgr[6748]: E9FA38AC12E: from=[EMAIL PROTECTED] , size=3331, nrcpt=1 (queue active) Aug 24 20:26:08 moria postfix/cleanup[31322]: F15EC8AC158: message-id=[EMAIL PROTECTED] Aug 24 20:26:08 moria postfix/qmgr[6748]: F15EC8AC158: from=[EMAIL PROTECTED] , size=3460, nrcpt=1 (queue active) Aug 24 20:26:08 moria postfix/local[31340]: E9FA38AC12E: to=[EMAIL PROTECTED] , relay=local, delay=0.04, delays=0.02/0.01/0/0.01, dsn=2.0.0, status=sent (forwarded as F15EC8AC158) Aug 24 20:26:08 moria postfix/qmgr[6748]: E9FA38AC12E: removed Aug 24 20:26:09 moria amavis[30702]: (30702-10) Passed CLEAN, [87.170.100.175] [87.170.100.175] [EMAIL PROTECTED] - [EMAIL PROTECTED] , Message-ID: [EMAIL PROTECTED], mail_id: CwcGFkEZbg5G, Hits: 5.271, size: 2645, queued_as: E9FA38AC12E, 11194 ms Aug 24 20:26:09 moria postfix/smtp[31323]: A6AD68AC125: to=[EMAIL PROTECTED] , relay=127.0.0.1[127.0.0.1]:10024, delay=12, delays=1.1/0.01/0.01/11, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=30702-10, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as E9FA38AC12E) Aug 24 20:26:09 moria postfix/qmgr[6748]: A6AD68AC125: removed Aug 24 20:26:10 moria postfix/smtp[31311]: F15EC8AC158: to=[EMAIL PROTECTED] , orig_to=[EMAIL PROTECTED], relay=ch- smtp02.sth.basefarm.net[80.76.149.213]:25, delay=1.4, delays=0.01/0/0.17/1.2, dsn=4.0.0, status=SOFTBOUNCE (host ch- smtp02.sth.basefarm.net[80.76.149.213] said: 550 This message contains a virus (Phishing.Heuristics.Email.SpoofedDomain) (in reply to end of DATA command)) /jonas ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] --max-files - Unknown error code
Hi, is this a bug? $ wget http://www.cs.cmu.edu/~johnny/projects/wii/WiiMultipointGrid_calibration.zip $ clamscan --max-files=43 WiiMultipointGrid_calibration.zip | head -n2 WiiMultipointGrid_calibration.zip: OK $ clamscan --max-files=44 WiiMultipointGrid_calibration.zip | head -n2 WiiMultipointGrid_calibration.zip: Unknown error code WiiMultipointGrid_calibration.zip: OK $ clamscan --max-files=161 WiiMultipointGrid_calibration.zip | head -n2 WiiMultipointGrid_calibration.zip: Unknown error code WiiMultipointGrid_calibration.zip: OK $ clamscan --max-files=162 WiiMultipointGrid_calibration.zip | head -n 2 WiiMultipointGrid_calibration.zip: OK So, clamscan throws an error between --max-files=44 and --max-files=161. This is a strange behaviour. $ clamscan -V ClamAV 0.93.3/8085/Mon Aug 25 12:08:16 2008 So long, Aiko -- :wq ✉ signature.asc Description: Digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] --max-files - Unknown error code
On Mon, 25 Aug 2008 13:36:56 +0200 Aiko Barz [EMAIL PROTECTED] wrote: So, clamscan throws an error between --max-files=44 and --max-files=161. This is a strange behaviour. $ clamscan -V ClamAV 0.93.3/8085/Mon Aug 25 12:08:16 2008 That should be already solved in SVN/0.94rc1 IIRC. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Aug 25 14:55:07 CEST 2008 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Unknown phishing email virus?
Jonas Jacobsson wrote: Hi, System: debian, clamav 0.93.3.dfsg-1, amavisd-new 1:2.6.1.dfsg-1. I got the following in my log running amavis and clamav. The virusdb was up to date when it happened (by freshclam). The receiver is an email address at my domain and the mail is directly forwarded to the hotmail address after the scan. The receiving server telling me it contains a virus is my ISP's smarthost which I must send via. When the ISP finds this virus mail, they will block my internet connection until I call their abuse department. I searched for Phishing.Heuristics.Email.SpoofedDomain in the clamav- virusdb archive, and it seems that it does not exist? Unfortunately I don't have the infected mail saved... This is a heuristics based signature. It attempts to detect malicious links to financial sites. Phishing is controlled in clamd.conf with: # With this option enabled ClamAV will try to detect phishing attempts by using # signatures. # Default: yes #PhishingSignatures yes # Scan URLs found in mails for phishing attempts using heuristics. # Default: yes #PhishingScanURLs yes As you can see, both options are enabled by default. Some people (and possibly some package maintainers) think phish detection should not be part of an antivirus package, so they set PhishingSignatures no In the past, the heuristics based scanning was a major source of false positives, but that's much improved now (although this still accounts for the majority of FPs here, the number of FPs has reduced significantly). Some people or package maintainers may disable heuristic scanning with PhishingScanURS no Maybe you're not scanning for phish. The same thing happens with Email.Trojan-2 (which does exist in the db), they are scanned and reported as CLEAN, but the ISP's smarthost blocks it due to the detected virus. No insight on this one. Maybe the ISP received an update faster than you did. Maybe the mail didn't pass through your clam for some reason. Maybe you've set your amavisd-new to tag pass viruses rather than discard them. Aug 24 20:26:10 moria postfix/smtp[31311]: F15EC8AC158: to=[EMAIL PROTECTED] , orig_to=[EMAIL PROTECTED], relay=ch- smtp02.sth.basefarm.net[80.76.149.213]:25, delay=1.4, delays=0.01/0/0.17/1.2, dsn=4.0.0, status=SOFTBOUNCE (host ch- smtp02.sth.basefarm.net[80.76.149.213] said: 550 This message contains a virus (Phishing.Heuristics.Email.SpoofedDomain) (in reply to end of DATA command)) It appears the mail stayed in your queue, note status=SOFTBOUNCE. If your postfix maximal_queue_lifetime hasn't been reached yet, you can view the message with # postcat -q F15EC8AC158 -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] qmail + simscan + clamd in a separate server
Hello, Anyone has a clamav executing in a external server. I have 3 mail servers and i want to externalize clamav to 2 external servers. Is this possible? Thank you very much! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
