[clamav-users] Curious clamd behavior

Dave McMurtrie dave64 at andrew.cmu.edu
Thu Mar 24 13:44:50 UTC 2016 

On Thu, 2016-03-24 at 11:05 +0000, Dave McMurtrie wrote:
> Hi,
> 
> I created a local pdb database so I can catch phishing attempts when
> URLs in an email display our domain name but actually link to a
> malicious URL.  In testing, I found something that I don't understand.
> 
> When I run clamdscan on a test message it correctly detects a spoofed
> domain in the message.  When my MTA connects to the clamd socket and
> asks it to scan the same exact message, it does not detect it.

Replying to myself here and hoping one of the Clam developers can clue
me in.

I started to look at the code to figure out why it's not identifying
this as type Mail when my MTA asks clamd to scan it, but it does when I
manually run clamdscan.  After decoding all the "Mail" types from
filetypes_int.h, it appears as though the following matches should
identify something as "Mail":

>From 
Date: 
Delivered-To: 
Delivery-date: 
Envelope-to: 
Message-ID: 
Message-Id: 
Subject: 
To: 
X-Apparently-To: 
X-Envelope-From: 
X-Original-To: 
X-Real-To: 
X-Sieve: 
X-UIDL: 

My sample message has several of those headers, but none match when my
MTA invokes clamd.  Oddly, through dumb luck testing with telnet
connecting to my MTA I seem to have figured out what's going on.

clamd appears to only match any of these if there's a blank line as the
first line of data I send.

Meaning, if I do this it won't be identified as Mail:

mail from:dave64 at andrew.cmu.edu
250 2.1.0 dave64 at andrew.cmu.edu... Sender ok
rcpt to:dave64 at andrew.cmu.edu
250 2.1.5 dave64 at andrew.cmu.edu... Recipient ok
data
354 Enter mail, end with "." on a line by itself
Date: Thu, 24 Mar 2016 06:41:42 -0400
...snipped for brevity...

However, if I do this it will be identified as Mail and my pdb signature
works correctly:

mail from:dave64 at andrew.cmu.edu
250 2.1.0 dave64 at andrew.cmu.edu... Sender ok
rcpt to:dave64 at andrew.cmu.edu
250 2.1.5 dave64 at andrew.cmu.edu... Recipient ok
data
354 Enter mail, end with "." on a line by itself

Date: Thu, 24 Mar 2016 06:41:42 -0400
...snipped for brevity...

Given that smtp protocol does not require (or even mention) that the
first line of the DATA phase will be a crlf, I'm not sure how ClamAV
would ever identify anything as type Mail.

Am I doing something wrong here?  I assume I must be, because I can't be
the only person attempting to use a pdb database to do this.

Thanks!

Dave

More information about the clamav-users mailing list