Inbound doesn't catch SaneSecurity signature, Outbound does

Sat Nov 3 23:40:15 CET 2012

am 03.11.12 22:53 schrieb Noel Jones <njones at megan.vbhcs.org>:

> On 11/3/2012 1:40 PM, Jim Knuth wrote:
>> am 03.11.12 18:03 schrieb Noel Jones <njones at megan.vbhcs.org>:
>>
>>> On 11/2/2012 1:12 PM, francis picabia wrote:
>>>>
>>>> Last night one user's account was over quota and the exchange server
>>>> tried to bounce back the phishing through our smtp gateway.  It
>>>> caught 10
>>>> emails which were not caught on inbound by amavis.  I only see these
>>>> small examples.  I'm afraid our inbound is letting hundreds of
>>>> phishing in.
>>>> Is the only solution to install Debian and configure with the
>>>> config files
>>>> from our SMTP gateway which has been good at blocking phishing?
>>>>
>>>
>>>
>>> I can guarantee you that this isn't a Redhat vs. Debian issue.
>>>
>>> This is definitely a config issue.  Debugging this will require
>>> time, patience, and careful attention to detail.  There's just one
>>> little thing wrong, and you've been overlooking it for weeks now.
>>>
>>> Most of the phishing signatures are clamav type 4 signatures. For
>>> those to work, clamav must recognize the text as an email message.
>>> Maybe your mail program is adding some header that clamav doesn't
>>> recognize, preventing clamav type 4 signatures from working properly.
>>>
>>> http://www.freelists.org/post/sanesecurity/Purpose-of-sanesecurityftm-file,1
>>>
>>>
>>> http://www.clamav.net/doc/latest/signatures.pdf
>>>
>>> Maybe your sanesecurity.ftm file is missing, or your MTA is adding
>>> some other header that clamav doesn't recognize.  If you're adding
>>> some local header, you can create your own "local.ftm" file using
>>> the clamav documentation.
>>
>> I have observed the same for a long time with myself.
>> The sanesecurity.ftm and daily.ftm is fine with
>> daily updates.
>
> It's worth while making sure that this is OK and working as
> expected.  This is a prime suspect.
>
> Examine the files placed on disk by amavisd; make sure clamav can
> scan it as an email file.  Just because the .ftm files are there
> doesn't guarantee that *your* mail files match.
>
>>
>>>
>>> Maybe your amavisd-new is not configured to pass the full email
>>> message to clamav, just passing decoded parts instead -- many of the
>>> signatures only work on the whole email.
>>
>> What do you mean  with that?
>
>  From the amavisd-new RELEASE-NOTES
>
> - uncommented the qr'^MAIL$' in @keep_decoded_original_maps
> (amavisd.conf
>    and amavisd.conf-sample); seems it is becoming increasingly more
> important
>    for virus scanners to also see the complete undecoded message;
> suggested
>    by Michael Scheidell and others;
>
>
> check your @keep_decoded_original_maps entry, and make sure that
> part is working as expected.  This is a prime suspect.

I did not have this "qr'^MAIL$'". I'll try out now, thank you

>
>    -- Noel Jones
>

-- 
Mit freundlichen Grüßen,
with kind regards,
Jim Knuth
---------
Mit dem Geist ist es wie mit dem Magen: Mann kann ihm
nur Dinge zumuten, die er verdauen kann. [Churchill]