Michael Orlitzky wrote: > Mark Martinec wrote: >> See what ended up in the .../parts directory by turning on >> per-recipient debugging, e.g.: >> >> @debug_sender_maps = ( ['yours...@example.com'] ); >> >> Apart from turning on full logging for a message to the specified >> recipient address, it will also retain the contents of a temporary >> directory, so you will be able to check what exactly is there. >> The directory location will be logged, e.g.: >> >> PRESERVING EVIDENCE in /var/amavis/amavis-20090624T233048-45480 >> >> Mark > > Ah, thanks. This is what I needed. Amavis is presenting the full message > to ClamAV as expected. > > This particular message begins with a "Received-SPF:" header. For some > reason, this causes ClamAV to miss the signature. Removal of the header > results in the expected behavior. > > The second test signature (the one that's failing) is defined for file > type 4, or "Mail file," according to [2]. If I had to guess, it would be > that the "Received-SPF" header is throwing off ClamAV's mail file detection. > > I'll take it to the ClamAV list. Thanks again. >
Hrm, I thought the .ftm included with sanesecurity included most of the common headers not in the "official" ftm, but it looks as if they mostly address headers added by mailscanner. So create your own local.ftm file containing that header so clam knows it's a mail file. Contents of your local.ftm would look like: 0:0:52656365697665642d5350463a:RecSPF:CL_TYPE_ANY:CL_TYPE_MAIL The hex part is created with # echo -n "Received-SPF:" |sigtool --hex-dump Or your favorite hex converter. -- Noel Jones ------------------------------------------------------------------------------ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/