[clamav-users] Curious clamd behavior
Dennis Peterson
dennispe at inetnw.com
Thu Mar 24 17:24:59 UTC 2016
The blank line ends the header section. In a simple message it would typically
follow the Subject: line.
dp
On 3/24/16 6:44 AM, Dave McMurtrie wrote:
> On Thu, 2016-03-24 at 11:05 +0000, Dave McMurtrie wrote:
>> Hi,
>>
>> I created a local pdb database so I can catch phishing attempts when
>> URLs in an email display our domain name but actually link to a
>> malicious URL. In testing, I found something that I don't understand.
>>
>> When I run clamdscan on a test message it correctly detects a spoofed
>> domain in the message. When my MTA connects to the clamd socket and
>> asks it to scan the same exact message, it does not detect it.
> Replying to myself here and hoping one of the Clam developers can clue
> me in.
>
> I started to look at the code to figure out why it's not identifying
> this as type Mail when my MTA asks clamd to scan it, but it does when I
> manually run clamdscan. After decoding all the "Mail" types from
> filetypes_int.h, it appears as though the following matches should
> identify something as "Mail":
>
> >From
> Date:
> Delivered-To:
> Delivery-date:
> Envelope-to:
> Message-ID:
> Message-Id:
> Subject:
> To:
> X-Apparently-To:
> X-Envelope-From:
> X-Original-To:
> X-Real-To:
> X-Sieve:
> X-UIDL:
>
> My sample message has several of those headers, but none match when my
> MTA invokes clamd. Oddly, through dumb luck testing with telnet
> connecting to my MTA I seem to have figured out what's going on.
>
> clamd appears to only match any of these if there's a blank line as the
> first line of data I send.
>
> Meaning, if I do this it won't be identified as Mail:
>
> mail from:dave64 at andrew.cmu.edu
> 250 2.1.0 dave64 at andrew.cmu.edu... Sender ok
> rcpt to:dave64 at andrew.cmu.edu
> 250 2.1.5 dave64 at andrew.cmu.edu... Recipient ok
> data
> 354 Enter mail, end with "." on a line by itself
> Date: Thu, 24 Mar 2016 06:41:42 -0400
> ...snipped for brevity...
>
> However, if I do this it will be identified as Mail and my pdb signature
> works correctly:
>
> mail from:dave64 at andrew.cmu.edu
> 250 2.1.0 dave64 at andrew.cmu.edu... Sender ok
> rcpt to:dave64 at andrew.cmu.edu
> 250 2.1.5 dave64 at andrew.cmu.edu... Recipient ok
> data
> 354 Enter mail, end with "." on a line by itself
>
> Date: Thu, 24 Mar 2016 06:41:42 -0400
> ...snipped for brevity...
>
> Given that smtp protocol does not require (or even mention) that the
> first line of the DATA phase will be a crlf, I'm not sure how ClamAV
> would ever identify anything as type Mail.
>
> Am I doing something wrong here? I assume I must be, because I can't be
> the only person attempting to use a pdb database to do this.
>
> Thanks!
>
> Dave
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
More information about the clamav-users
mailing list