[clamav-users] Any way to force scan as mail?

Bowie Bailey Bowie_Bailey at BUC.com
Wed Mar 1 18:10:38 UTC 2017 

On 3/1/2017 1:00 PM, G.W. Haywood wrote:
> Hello again,
>
> On Wed, 1 Mar 2017, Carlos Velasco wrote:
>
>> G.W. Haywood wrote:
>> > Your conjecture is incorrect.  Neither of those things is a properly
>> > formed mail message.  I'd describe them as jumbled up collections of
>> > bits and pieces of things which might possibly once have been parts of
>> > mail messages.
>>
>> Sorry but you are wrong, they are indeed real mails and properly
>> formatted. Directly received from hotmail.  I just have changed
>> (hidden) the domains, addresses and IP addresses at the moment of
>> publishing them.
>>
>> It is the magic of ClamAV (0.99.2) that does not detects mail for
>> the first case, but it detects mails for the second case (with just
>> 1 long header line deleted).  Tested ClamAV devel version makes
>> partial detection of mail (through MHTML).
>
>> Magic of "file" works for both, detecting both as mail text:
>>
>> # file LCipWJaQ.txt
>> LCipWJaQ.txt: ASCII mail text, with very long lines, with CRLF line 
>> terminators
>>
>> # file ZvmST7Xh.txt
>> ZvmST7Xh.txt: ASCII mail text, with very long lines, with CRLF line 
>> terminators
>
> I've been doing this for a couple of decades, so do I know what a
> properly formed mail message looks like. :)
>
> The text files on which you ran 'file' and the HTML-ified garbage to
> which you linked in your original post are not the same things at all:
>
> laptop3:~$ >>> wget -q http://pastebin.com/ZvmST7Xh
> laptop3:~$ >>> file ZvmST7Xh
> ZvmST7Xh: HTML document, ASCII text, with very long lines, with CRLF, 
> LF line terminators
> laptop3:~$ >>> wget -q http://pastebin.com/LCipWJaQ
> laptop3:~$ >>> file LCipWJaQ
> LCipWJaQ: HTML document, ASCII text, with very long lines, with CRLF, 
> LF line terminators
>
> You owe it to anyone who might take the trouble to help you at least
> to provide *exactly* the data with which you are having problems - not
> some vague, Webserver-generated representation of it - and perhaps
> also to consider their replies more carefully.

Hate to say it, but you downloaded the wrong files.  You need to get the 
'raw' version.  Otherwise, you just get pastebin's website view.

$ wget http://pastebin.com/raw/ZvmST7Xh
$ file ZvmST7Xh
ZvmST7Xh: ASCII mail text, with very long lines, with CRLF line terminators

$ wget -q http://pastebin.com/raw/LCipWJaQ
$ file LCipWJaQ
LCipWJaQ: ASCII mail text, with very long lines, with CRLF line terminators

-- 
Bowie

More information about the clamav-users mailing list