Inbound doesn't catch SaneSecurity signature, Outbound does
Noel Jones
njones at megan.vbhcs.org
Sat Nov 3 22:53:32 CET 2012
On 11/3/2012 1:40 PM, Jim Knuth wrote:
> am 03.11.12 18:03 schrieb Noel Jones <njones at megan.vbhcs.org>:
>
>> On 11/2/2012 1:12 PM, francis picabia wrote:
>>>
>>> Last night one user's account was over quota and the exchange server
>>> tried to bounce back the phishing through our smtp gateway. It
>>> caught 10
>>> emails which were not caught on inbound by amavis. I only see these
>>> small examples. I'm afraid our inbound is letting hundreds of
>>> phishing in.
>>> Is the only solution to install Debian and configure with the
>>> config files
>>> from our SMTP gateway which has been good at blocking phishing?
>>>
>>
>>
>> I can guarantee you that this isn't a Redhat vs. Debian issue.
>>
>> This is definitely a config issue. Debugging this will require
>> time, patience, and careful attention to detail. There's just one
>> little thing wrong, and you've been overlooking it for weeks now.
>>
>> Most of the phishing signatures are clamav type 4 signatures. For
>> those to work, clamav must recognize the text as an email message.
>> Maybe your mail program is adding some header that clamav doesn't
>> recognize, preventing clamav type 4 signatures from working properly.
>>
>> http://www.freelists.org/post/sanesecurity/Purpose-of-sanesecurityftm-file,1
>>
>>
>> http://www.clamav.net/doc/latest/signatures.pdf
>>
>> Maybe your sanesecurity.ftm file is missing, or your MTA is adding
>> some other header that clamav doesn't recognize. If you're adding
>> some local header, you can create your own "local.ftm" file using
>> the clamav documentation.
>
> I have observed the same for a long time with myself.
> The sanesecurity.ftm and daily.ftm is fine with
> daily updates.
It's worth while making sure that this is OK and working as
expected. This is a prime suspect.
Examine the files placed on disk by amavisd; make sure clamav can
scan it as an email file. Just because the .ftm files are there
doesn't guarantee that *your* mail files match.
>
>>
>> Maybe your amavisd-new is not configured to pass the full email
>> message to clamav, just passing decoded parts instead -- many of the
>> signatures only work on the whole email.
>
> What do you mean with that?
>From the amavisd-new RELEASE-NOTES
- uncommented the qr'^MAIL$' in @keep_decoded_original_maps
(amavisd.conf
and amavisd.conf-sample); seems it is becoming increasingly more
important
for virus scanners to also see the complete undecoded message;
suggested
by Michael Scheidell and others;
check your @keep_decoded_original_maps entry, and make sure that
part is working as expected. This is a prime suspect.
-- Noel Jones
More information about the amavis-users
mailing list