[sanesecurity] Re: Blocking the "here you have" malware payload

From: tBB <tbb@xxxxxxxxxxxxxx>
To: sanesecurity@xxxxxxxxxxxxx
Date: Fri, 17 Sep 2010 15:28:41 +0200

GrayHat wrote:

> Uh... "errorWHAT" ? See, if we talk about mailservers or in any
> case mailfilters, those use the socket interface and I can't see

There are a plethora of Mailservers that use ClamDScan and there is
actually no reason why they shouldn't. Using the socket interface is
surely more efficient but it's not that calling ClamDScan for each mail
causes that much overhead.

> how they may return such an error; it's up to the "client" (in our

Simple: ClamD returns 'FOUND' in the stream and it could as well return
'SUSPECT' or something similar. BTW: That's why I had put the
'errorlevel' in brackets.

Best regards,

Nico

-- 

 Q: Because it reverses the logical flow of conversation.
 A: Why is putting a reply at the top of the message frowned upon?

Follow-Ups:

[sanesecurity] Re: Blocking the "here you have" malware payload
From: GrayHat

References:
- [sanesecurity] Blocking the "here you have" malware payload
  - From: GrayHat
- [sanesecurity] Re: Blocking the "here you have" malware payload
  - From: Steve Basford
- [sanesecurity] Re: Blocking the "here you have" malware payload
  - From: tBB
- [sanesecurity] Re: Blocking the "here you have" malware payload
  - From: GrayHat
- [sanesecurity] Re: Blocking the "here you have" malware payload
  - From: tBB
- [sanesecurity] Re: Blocking the "here you have" malware payload
  - From: GrayHat

[sanesecurity] Re: Blocking the "here you have" malware payload

Other related posts: