Hello Edwin
Thank you for your reply.
On 10.02.2012 15:06, Török Edwin wrote:
# clamscan -v DHL_Post_oder_Notification-INF6782654.zip
DHL_Post_oder_Notification-INF6782654.zip: Suspect.Bredozip-zippwd-2 FOUND
The detection is based on the filename inside the zip file.
I am curious... isn't this relay unsafe?
I have just checked a second of these DHL emails. The Subject and the
ZIP Name was different, but the content was the same file. So what
happens if a spammer not only changes the subject and zip-name but also
changes everytime the filename of the exe?
Would it not make sense to use something like an md5 sum of the exe
file? I think the effort to change the names of the exe is much lower
than changing the malware for every email.
But hey... i am just thinking loud... I don't want to step on anybody's
feet. As i said... i am just curious.
So the question is... how can i fix this?
Pass the full email to ClamAV, not just the attachments.
Hmm... okay, i give a look on it.
Thank you Edwin!
Best regards
Matthias
--
Matthias Egger
ETH Zurich
Department of Information Technology maeg...@ee.ethz.ch
and Electrical Engineering
IT Support Group (ISG.EE), ETL/F/24.1 Phone +41 (0)44 632 03 90
Physikstrasse 3, CH-8092 Zurich Fax +41 (0)44 632 11 95
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
