[clamav-users] clamdscan mail file
Reindl Harald
h.reindl at thelounge.net
Wed Feb 15 12:16:23 UTC 2017
Am 15.02.2017 um 13:10 schrieb TBits.net, Mailinglists:
> On 2017-02-13 15:07, TBits.net, Mailinglists wrote:
>> On 2017-02-13 14:39, Reindl Harald wrote:
>>> Am 13.02.2017 um 14:33 schrieb TBits.net, Mailinglists:
>>>> On 2017-02-13 13:19, Reindl Harald wrote:
>>>>> Am 13.02.2017 um 13:05 schrieb TBits.net, Mailinglists:
>>>>>> Hi @all,
>>>>>>
>>>>>> clamav-milter identify an email as infected by
>>>>>> Heuristics.Phishing.Email.SSL-Spoof.
>>>>>>
>>>>>> This is correct, but when I scan this file in the quarantine with
>>>>>> clamdscan or clamscan the file is clean.8154
>>>>>> It seams that the clamscan or clamdscan do not scan this file for
>>>>>> Phishing.
>>>>>> Is it possible to scan a text file as a mail to identify with
>>>>>> phishing?
>>>>>
>>>>> clamdscan is using clamd the same way as "clamav-milter" and so if
>>>>> it's the same clamd configuration it behaves identically
>>>>
>>>> clamav-milter identify it as Heuristics.Phishing.Email.SSL-Spoof but in
>>>> clamdscan it is clean.
>>>> And I think the result should be the same
>>>
>>> they are - proven by a webinterface where i upload eml files at pass
>>> them through spamd and clamdscan using two different clamd-instances
>>> which are used by clamav-milter and/or spamassassin
>>>
>>> are you 100% certain that clamdscan is using the identical clamd
>>> instance with identical configuration?
>>
>> Yes only one instance of clamd is running.
>> I scan only the quarantined mail which was hold by clamav-milter before.
>>
>> Tested under different servers, on all servers are the same result.
>>
>
> any idea how I can scan a text file as email, that phishing attempts are
> identified?
>
> if you send the code via telnet to the smtp server clamav-milter
> identify it as "infected by Heuristics.Phishing.Email.SSL-Spoof"
> If you scan a file with this code, clamdscan identify it as clean.
>
> --- snip---
> subject: test
> --_000_ed9530a770f34b59940e38cc79be07c0SE011093_
> Content-Type: text/html; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
> <a href="http://www.example.de/">https://www.example.de;
> --_000_ed9530a770f34b59940e38cc79be07c0SE011093_-
> ---snip---
a good start would be to provide a *unchanged* sample .eml file so that
somebody can reproduce it - at least unmangeled eml files saved with
thunderbird and piped through clamdscan behave 100% identical to milter
usage because there is technical no difference at all
so most likely you file is just recognized as email
More information about the clamav-users
mailing list