Forwarded mails are not scanned
Thomas M Steenholdt
tmus at tmus.dk
Wed Mar 11 20:17:08 CET 2015
On 2015-03-11 14:54, Benny Pedersen wrote:
> Thomas M Steenholdt skrev den 2015-03-11 18:38:
>
>>> if its blocked where is the problem then ?
>> What I meant was; Files that should otherwise have been blocked, are let
>> through.
>
> so far so good
>
>> Let me try to get a log snippet...
>
> +1
>
>>> first step if possible try foxhole signatures in clamav, did that
>>> solve it ?
>> ClamAV should not be involved in blocking filetypes, right?
>
> i did not say block, but only detect, then amavisd-new can make better
> desision later
>
>>> you say forwarded, is it forwarded localy or remote forwarded ?
>> Forwarded in the MUA. E.g. thunderbird, right click e-mail and forward
>> as attachment. Results in a new e-mail, with an .eml file attached. This
>> .eml file is a complete mail including .zip, .exe, .scr, .whatnot.
>>
>> ClamAV actually scans the .eml file and finds infected files. Problem is
>> when a new outbreak occur, stuff like .scr and .exe files are let
>> through this way (before ClamAV's signature detects it's infected).
>
> thats why i say foxhole signature
>
>>> is the malware detected if you ripmime emails that contains it ?
>
>> In that case, the individual attachments (inside the .eml attchment) is
>> found just fine. The problem is with the .eml file not being processed
>> properly.
>
> yes this is a feature of amavisd-new not a problem in clamav with
> foxhole sigs
Having only just heard of foxhole signatures it looks like ClamAV will
to check for various filetypes within certain archives. Is that correct?
Do you have a reference page on the topic you can recommend?
I'm not entirely sold on the idea, that I would need to fire up an AV
scanner to block attachments in an attached mail. I mean, Amavis has the
code loaded to handle the "outer" mail already. It should be able to use
the exact same code to handle the "inner" mail as well?
In case I wasn't clear, I want banned files inside the attached
mail-file to be banned exactly as if they had been attached directly to
the "outer" mail.
>
>>> i have more silly questions if it helps :=)
>> Bring 'em on :-)
>
> how old are you ?
More information about the amavis-users
mailing list