Inbound doesn't catch SaneSecurity signature, Outbound does

Jim Knuth jk at
Sat Nov 3 19:40:45 CET 2012

am 03.11.12 18:03 schrieb Noel Jones <njones at>:

> On 11/2/2012 1:12 PM, francis picabia wrote:
>> Last night one user's account was over quota and the exchange server
>> tried to bounce back the phishing through our smtp gateway.  It caught 10
>> emails which were not caught on inbound by amavis.  I only see these
>> small examples.  I'm afraid our inbound is letting hundreds of phishing in.
>> Is the only solution to install Debian and configure with the config files
>> from our SMTP gateway which has been good at blocking phishing?
> I can guarantee you that this isn't a Redhat vs. Debian issue.
> This is definitely a config issue.  Debugging this will require
> time, patience, and careful attention to detail.  There's just one
> little thing wrong, and you've been overlooking it for weeks now.
> Most of the phishing signatures are clamav type 4 signatures. For
> those to work, clamav must recognize the text as an email message.
> Maybe your mail program is adding some header that clamav doesn't
> recognize, preventing clamav type 4 signatures from working properly.
> Maybe your sanesecurity.ftm file is missing, or your MTA is adding
> some other header that clamav doesn't recognize.  If you're adding
> some local header, you can create your own "local.ftm" file using
> the clamav documentation.

I have observed the same for a long time with myself.
The sanesecurity.ftm and daily.ftm is fine with
daily updates.

> Maybe your amavisd-new is not configured to pass the full email
> message to clamav, just passing decoded parts instead -- many of the
> signatures only work on the whole email.

What do you mean  with that?

> Good luck.
>    -- Noel Jones

Mit freundlichen Grüßen,
with kind regards,
Jim Knuth
Wenn man in die falsche Richtung läuft, hat es
keinen Zweck, das Tempo zu erhöhen.
(Birgit Breuel)

More information about the amavis-users mailing list