Forwarded mails are not scanned

Benny Pedersen me at junc.eu
Wed Mar 11 21:34:26 CET 2015


Thomas M Steenholdt skrev den 2015-03-11 20:17:

> Having only just heard of foxhole signatures it looks like ClamAV will
> to check for various filetypes within certain archives. Is that 
> correct?

yes, it unpacks all possible archives, and then try to match files types 
after unpack, thats why i think you can use it with amavisd, possible 
maps signatures in clamav to spamscore in amavisd so it just detection, 
but imho this part is not needed to mangle since it is fair detection, 
send a exe and it will not be blocked in foxhole, but send a exe packed 
in zip will

> Do you have a reference page on the topic you can recommend?

http://sanesecurity.com/foxhole-databases/

> I'm not entirely sold on the idea, that I would need to fire up an AV
> scanner to block attachments in an attached mail. I mean, Amavis has 
> the
> code loaded to handle the "outer" mail already. It should be able to 
> use
> the exact same code to handle the "inner" mail as well?

yes, but it does imho not do it recursive, with is why i say foxhole :=)

> In case I wasn't clear, I want banned files inside the attached
> mail-file to be banned exactly as if they had been attached directly to
> the "outer" mail.

yep this can be done with clamav+foxhole+amavisd where you maps clamav 
signatures to spam score, amavisd cant imho unpack and match recursive 
enough to make the same hits possible, but this depends on file(util) 
and how unpack and scanning is configured in amavisd

remember amavisd is not a virus scanner its a nice interface for virus / 
spam scanners


More information about the amavis-users mailing list