[clamav-users] Any way to force scan as mail?

G.W. Haywood clamav at jubileegroup.co.uk
Wed Mar 1 18:00:00 UTC 2017 

Hello again,

On Wed, 1 Mar 2017, Carlos Velasco wrote:

> G.W. Haywood wrote:
> > Your conjecture is incorrect.  Neither of those things is a properly
> > formed mail message.  I'd describe them as jumbled up collections of
> > bits and pieces of things which might possibly once have been parts of
> > mail messages.
>
> Sorry but you are wrong, they are indeed real mails and properly
> formatted. Directly received from hotmail.  I just have changed
> (hidden) the domains, addresses and IP addresses at the moment of
> publishing them.
> 
> It is the magic of ClamAV (0.99.2) that does not detects mail for
> the first case, but it detects mails for the second case (with just
> 1 long header line deleted).  Tested ClamAV devel version makes
> partial detection of mail (through MHTML).

> Magic of "file" works for both, detecting both as mail text:
> 
> # file LCipWJaQ.txt
> LCipWJaQ.txt: ASCII mail text, with very long lines, with CRLF line terminators
> 
> # file ZvmST7Xh.txt
> ZvmST7Xh.txt: ASCII mail text, with very long lines, with CRLF line terminators

I've been doing this for a couple of decades, so do I know what a
properly formed mail message looks like. :)

The text files on which you ran 'file' and the HTML-ified garbage to
which you linked in your original post are not the same things at all:

laptop3:~$ >>> wget -q http://pastebin.com/ZvmST7Xh
laptop3:~$ >>> file ZvmST7Xh
ZvmST7Xh: HTML document, ASCII text, with very long lines, with CRLF, LF line terminators
laptop3:~$ >>> wget -q http://pastebin.com/LCipWJaQ
laptop3:~$ >>> file LCipWJaQ
LCipWJaQ: HTML document, ASCII text, with very long lines, with CRLF, LF line terminators

You owe it to anyone who might take the trouble to help you at least
to provide *exactly* the data with which you are having problems - not
some vague, Webserver-generated representation of it - and perhaps
also to consider their replies more carefully.

> Anyway, the main question remains unanswered... is there any way to
> force the scan as mail (overriding the magic for the first recursion)?

My original reply stands.

-- 

73,
Ged.

More information about the clamav-users mailing list