[sanesecurity] Re: (Subject Line Test #2)

From: "Steve Basford" <steveb_clamav@xxxxxxxxxxxxxxxx>
To: sanesecurity@xxxxxxxxxxxxx
Date: Fri, 23 Jan 2009 08:13:32 -0000 (GMT)

> Undetected:
> http://jqd.org/pastebin?id=69 (Fastmail.FM)
> http://jqd.org/pastebin?id=70 (Yahoo)
> http://jqd.org/pastebin?id=71 (Hotmail)
> http://jqd.org/pastebin?id=72 (Gmail)
>
> Detected:
> http://jqd.org/pastebin?id=73 (The original Yahoo mail manually stripped
> down with only basic headers -- this one is detected.)


Hi All,

After much head scratching.. and the help of those who pasted the
headers... I can reproduce the failed test :)

And it means that the detection rates on some people systems may not as
good as they should have been.

As some people guessed it's all down the header formation and a file
called .ftm.   ClamAv has a file distributed which helps the engine decide
what type of file the email and/or attachments are.

You can see the file, by doing this:

sigtool --unpack-current=daily

If you look for daily.ftm and look for this line:

0:0:52656365697665643a20:Raw mail:CL_TYPE_ANY:CL_TYPE_MAIL

It means that if ClamAV sees "Received:" as THE FIRST LINE then it sets
the scanning type to "Mail" (type 4 signatures)

The problem seems to be that in the undetected examples, the FIRST LINE
isn't "Received:" but "X-Received-From-Address:".

ClamAV doesn't have this type in it's datebase, so it takes a "guess" :)

As a work-around... could people who had problems with detecting TEST2, do
the following:

Copy the following lines into a file called sanesecurity.ftm and copy the
file, into the same data area as the rest of the signatures:

------ line to copy -------
0:0:582d52656365697665642d46726f6d2d416464726573733a:MailScanner:CL_TYPE_ANY:CL_TYPE_MAIL
0:0:582d456e76656c6f70652d546f3a:MailScanner2:CL_TYPE_ANY:CL_TYPE_MAIL
0:0:582d5370616d2d436865636b65722d56657273696f6e3a:MailScanner3:CL_TYPE_ANY:CL_TYPE_MAIL
------ line to copy -------

If this works, let me know.  If it doesn't work.. please post the FIRST
LINE of the email that you receive.

If we can get a list of headers, I'll then pass them onto ClamAV team.

Cheers and thanks for everyone help on this one... it's been a big puzzle.


Steve
Sanesecurity

Follow-Ups:
- [sanesecurity] Re: (Subject Line Test #2)
  - From: SuprDave
- [sanesecurity] Re: (Subject Line Test #2)
  - From: Justin Reynolds
- [sanesecurity] Re: (Subject Line Test #2)
  - From: Chris Barber
- [sanesecurity] Re: (Subject Line Test #2)
  - From: Chris Barber

References:
- [sanesecurity] MailScanner fails test #2 (Subject Line Test)
  - From: SuprDave
- [sanesecurity] Re: {sanesecurity] MailScanner fails test #2 (Subject Line Test)
  - From: Arthur Dent
- [sanesecurity] Re: {sanesecurity] MailScanner fails test #2 (Subject Line Test)
  - From: SuprDave
- [sanesecurity] Re: {sanesecurity] MailScanner fails test #2 (Subject Line Test)
  - From: Chris Barber
- [sanesecurity] Re: (Subject Line Test #2)
  - From: Steve Basford
- [sanesecurity] Re: (Subject Line Test #2)
  - From: Justin Reynolds

[sanesecurity] Re: (Subject Line Test #2)

Other related posts: