> Undetected: > http://jqd.org/pastebin?id=69 (Fastmail.FM) > http://jqd.org/pastebin?id=70 (Yahoo) > http://jqd.org/pastebin?id=71 (Hotmail) > http://jqd.org/pastebin?id=72 (Gmail) > > Detected: > http://jqd.org/pastebin?id=73 (The original Yahoo mail manually stripped > down with only basic headers -- this one is detected.) Hi All, After much head scratching.. and the help of those who pasted the headers... I can reproduce the failed test :) And it means that the detection rates on some people systems may not as good as they should have been. As some people guessed it's all down the header formation and a file called .ftm. ClamAv has a file distributed which helps the engine decide what type of file the email and/or attachments are. You can see the file, by doing this: sigtool --unpack-current=daily If you look for daily.ftm and look for this line: 0:0:52656365697665643a20:Raw mail:CL_TYPE_ANY:CL_TYPE_MAIL It means that if ClamAV sees "Received:" as THE FIRST LINE then it sets the scanning type to "Mail" (type 4 signatures) The problem seems to be that in the undetected examples, the FIRST LINE isn't "Received:" but "X-Received-From-Address:". ClamAV doesn't have this type in it's datebase, so it takes a "guess" :) As a work-around... could people who had problems with detecting TEST2, do the following: Copy the following lines into a file called sanesecurity.ftm and copy the file, into the same data area as the rest of the signatures: ------ line to copy ------- 0:0:582d52656365697665642d46726f6d2d416464726573733a:MailScanner:CL_TYPE_ANY:CL_TYPE_MAIL 0:0:582d456e76656c6f70652d546f3a:MailScanner2:CL_TYPE_ANY:CL_TYPE_MAIL 0:0:582d5370616d2d436865636b65722d56657273696f6e3a:MailScanner3:CL_TYPE_ANY:CL_TYPE_MAIL ------ line to copy ------- If this works, let me know. If it doesn't work.. please post the FIRST LINE of the email that you receive. If we can get a list of headers, I'll then pass them onto ClamAV team. Cheers and thanks for everyone help on this one... it's been a big puzzle. Steve Sanesecurity