[clamav-users] clamdscan mail file

TBits.net, Mailinglists mailinglists at tbits.net
Wed Feb 15 12:10:09 UTC 2017 

On 2017-02-13 15:07, TBits.net, Mailinglists wrote:
> On 2017-02-13 14:39, Reindl Harald wrote:
>> Am 13.02.2017 um 14:33 schrieb TBits.net, Mailinglists:
>>> On 2017-02-13 13:19, Reindl Harald wrote:
>>>> Am 13.02.2017 um 13:05 schrieb TBits.net, Mailinglists:
>>>>> Hi @all,
>>>>> 
>>>>> clamav-milter identify an email as infected by
>>>>> Heuristics.Phishing.Email.SSL-Spoof.
>>>>> 
>>>>> This is correct, but when I scan this file in the quarantine with
>>>>> clamdscan or clamscan the file is clean.8154
>>>>> It seams that the clamscan or clamdscan do not scan this file for
>>>>> Phishing.
>>>>> Is it possible to scan a text file as a mail to identify with 
>>>>> phishing?
>>>> 
>>>> clamdscan is using clamd the same way as "clamav-milter" and so if
>>>> it's the same clamd configuration it behaves identically
>>> 
>>> clamav-milter identify it as Heuristics.Phishing.Email.SSL-Spoof but 
>>> in
>>> clamdscan it is clean.
>>> And I think the result should be the same
>> 
>> they are - proven by a webinterface where i upload eml files at pass
>> them through spamd and clamdscan using two different clamd-instances
>> which are used by clamav-milter and/or spamassassin
>> 
>> are you 100% certain that clamdscan is using the identical clamd
>> instance with identical configuration?
> 
> Yes only one instance of clamd is running.
> I scan only the quarantined mail which was hold by clamav-milter 
> before.
> 
> Tested under different servers, on all servers are the same result.
> 

any idea how I can scan a text file as email, that phishing attempts are 
identified?


if you send the code via telnet to the smtp server clamav-milter 
identify it as "infected by Heuristics.Phishing.Email.SSL-Spoof"
If you scan a file with this code, clamdscan identify it as clean.

--- snip---
subject: test
--_000_ed9530a770f34b59940e38cc79be07c0SE011093_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<a href="http://www.example.de/">https://www.example.de;
--_000_ed9530a770f34b59940e38cc79be07c0SE011093_-
---snip---


----------------------------------------------------------------
Diese Nachricht wurde versandt mit Webmail von www.tbits.net.
This message was sent using webmail of www.tbits.net.

More information about the clamav-users mailing list