Inbound doesn't catch SaneSecurity signature, Outbound does

Noel Jones njones at megan.vbhcs.org
Sat Nov 3 18:03:23 CET 2012


On 11/2/2012 1:12 PM, francis picabia wrote:
> 
> Last night one user's account was over quota and the exchange server
> tried to bounce back the phishing through our smtp gateway.  It caught 10
> emails which were not caught on inbound by amavis.  I only see these
> small examples.  I'm afraid our inbound is letting hundreds of phishing in.
> Is the only solution to install Debian and configure with the config files
> from our SMTP gateway which has been good at blocking phishing?
> 


I can guarantee you that this isn't a Redhat vs. Debian issue.

This is definitely a config issue.  Debugging this will require
time, patience, and careful attention to detail.  There's just one
little thing wrong, and you've been overlooking it for weeks now.

Most of the phishing signatures are clamav type 4 signatures. For
those to work, clamav must recognize the text as an email message.
Maybe your mail program is adding some header that clamav doesn't
recognize, preventing clamav type 4 signatures from working properly.

http://www.freelists.org/post/sanesecurity/Purpose-of-sanesecurityftm-file,1

http://www.clamav.net/doc/latest/signatures.pdf

Maybe your sanesecurity.ftm file is missing, or your MTA is adding
some other header that clamav doesn't recognize.  If you're adding
some local header, you can create your own "local.ftm" file using
the clamav documentation.

Maybe your amavisd-new is not configured to pass the full email
message to clamav, just passing decoded parts instead -- many of the
signatures only work on the whole email.

Good luck.



  -- Noel Jones


More information about the amavis-users mailing list