Thomas, > today I discovered a mail that made it through Amavisd-new, even if > policy for this user clearly states that mail should be scanned - but > as log files show it has been passed to Spamassassin, but not to any > Virus scanner. ClamAV on this host (and on other hosts) recognizes > this mail as spam. > > Here are the log lines of the original (not catched) mail: > > (13191-11-6) Checking: ObFusYq0movf mymx [1.2.3.4] <sen...@domain.tld> > -> <m...@customer.tld> > (13191-11-6) p004 1 Content-Type: multipart/related > (13191-11-6) p005 1/1 Content-Type: multipart/alternative > (13191-11-6) p001 1/1/1 Content-Type: text/plain, size: 4410 B, name: > (13191-11-6) p002 1/1/2 Content-Type: text/html, size: 24530 B, name: > (13191-11-6) p003 1/2 Content-Type: image/jpeg, size: 8860 B, name: > image001.jpg > (13191-11-6) SPAM-TAG, <sen...@domain.tld> -> <m...@customer.tld>, No, > score=-0.405 tagged_above=-999 required=3 tests=[AWL=-2.194,
> As you can see, "run_av" does not appear in this lines. If I use the > whole mail as another mail's plain content, it is being caught: > > (11166-04-2) Checking: ObFusgHsHsH6 mymx [1.2.3.4] <anot...@sender.tld> > -> <o...@mailbox.tld> > (11166-04-2) p001 1 Content-Type: text/plain, size: 53267 B, name: > (11166-04-2) run_av (ClamAV-clamd): > /var/lib/amavis/tmp/amavis-20090611T0123456-11166/parts INFECTED: > Phishing.Heuristics.Email.SpoofedDomain Perhaps m...@customer.tld has bypass_virus_checks while o...@mailbox.tld does not? Elevated log level would tell. (but see further on) > Is there something badly going wrong - or did I miss something? > Please note that qr'^MAIL$' is NOT part of my @keep_decoded_original_maps > list, that setting was what first seemed reasonable to me. Having qr'^MAIL$' in @keep_decoded_original_maps seems reasonable to me too. If the 'Phishing.Heuristics.Email.SpoofedDomain' test in ClamAV checks a mail header section, the absence of qr'^MAIL$' would explain what you are seing. > But as run_av does not even be called for the decoded MIME parts > that's probably not the issue here. What is your log level? The "run_av (ClamAV-clamd): ..." log entry is reported at log level 2 when infected, but at log level 3 when clean. Mark ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
