On Tue, 2007-10-02 at 10:24 -0700, Dennis Peterson wrote:
> Can anyone offer a reason why the OP found a virus in the mbox file but not
> in the
> split out maildir messages? That kind of inconsistency is unsettling.
Rather easy I guess, given your analysis of the RE earlier. :)
Caveat: I have not checked the signature myself, going from your own
description only. Also, I assume that "any number of characters"
actually includes \n. The signature wouldn't match my FreeGame crap
otherwise anyway.
Somewhat simplified, the signature reads "Subject with the string game"
and "an IP style http link".
Scanning maildirs as well as scanning individual messages before
delivering, this enforces that both be in the same email. Scanning a
whole mbox however, does *not*.
The Subject can be in one message, and the link in another one further
down the file. Boom, we got a hit! :) (Actually, according to your
prose description, it neither needs to be a (Subject) header, nor an IP
style link.)
Which raises the question if the OP is correct when stating that ClamAV
knows how to handle mbox files. It sure does not look like that. The
summary claimed to have scanned one (mbox) file. It did not claim to
have scanned a bunch of messages, treated individually and applying the
signatures against each of them -- just a single text/plain file, that
happens to resemble more than one message.
A note to the OP: Line numbers won't get you anything. Well, at least
for mbox files that is. Let's assume ClamAV would have spit out a line
number. Now what? Your mail client doesn't support "displaying the mail
of line N". And what if this is an mbox file being served by an IMAP
server? Even less client control over the file...
Your only option would be to start an editor, to look at the raw mail.
OK, would work in this case, maybe. But what about if this wouldn't be
such a dumb text/plain crap, but a binary attached base64 encoded to a
mail?
Scanning incoming messages before delivering definitely is the way to
go. On one hand, you can act appropriately, and be sure to avoid issues
like these match inconsistencies [1]. On the other hand, scanning
periodically after delivery is much too late anyway. How do you ensure
the user didn't fall for the phish already?
guenther
[1] yes, that mbox file seems to be clean, not containing any virus
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
