Hello, Thank you for your help.
I am not familiar with ClamAv and what you are describing below. Please let me know - is there any information I can provide that would help you to correct the issue? Many thanks, Anne-Sophie -----Original Message----- From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Reindl Harald Sent: 15 February 2017 12:16 To: clamav-users@lists.clamav.net Subject: Re: [clamav-users] clamdscan mail file Am 15.02.2017 um 13:10 schrieb TBits.net, Mailinglists: > On 2017-02-13 15:07, TBits.net, Mailinglists wrote: >> On 2017-02-13 14:39, Reindl Harald wrote: >>> Am 13.02.2017 um 14:33 schrieb TBits.net, Mailinglists: >>>> On 2017-02-13 13:19, Reindl Harald wrote: >>>>> Am 13.02.2017 um 13:05 schrieb TBits.net, Mailinglists: >>>>>> Hi @all, >>>>>> >>>>>> clamav-milter identify an email as infected by >>>>>> Heuristics.Phishing.Email.SSL-Spoof. >>>>>> >>>>>> This is correct, but when I scan this file in the quarantine with >>>>>> clamdscan or clamscan the file is clean.8154 It seams that the >>>>>> clamscan or clamdscan do not scan this file for Phishing. >>>>>> Is it possible to scan a text file as a mail to identify with >>>>>> phishing? >>>>> >>>>> clamdscan is using clamd the same way as "clamav-milter" and so if >>>>> it's the same clamd configuration it behaves identically >>>> >>>> clamav-milter identify it as Heuristics.Phishing.Email.SSL-Spoof >>>> but in clamdscan it is clean. >>>> And I think the result should be the same >>> >>> they are - proven by a webinterface where i upload eml files at pass >>> them through spamd and clamdscan using two different clamd-instances >>> which are used by clamav-milter and/or spamassassin >>> >>> are you 100% certain that clamdscan is using the identical clamd >>> instance with identical configuration? >> >> Yes only one instance of clamd is running. >> I scan only the quarantined mail which was hold by clamav-milter before. >> >> Tested under different servers, on all servers are the same result. >> > > any idea how I can scan a text file as email, that phishing attempts > are identified? > > if you send the code via telnet to the smtp server clamav-milter > identify it as "infected by Heuristics.Phishing.Email.SSL-Spoof" > If you scan a file with this code, clamdscan identify it as clean. > > --- snip--- > subject: test > --_000_ed9530a770f34b59940e38cc79be07c0SE011093_ > Content-Type: text/html; charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable <a > href="http://www.example.de/";>https://www.example.de; > --_000_ed9530a770f34b59940e38cc79be07c0SE011093_- > ---snip--- a good start would be to provide a *unchanged* sample .eml file so that somebody can reproduce it - at least unmangeled eml files saved with thunderbird and piped through clamdscan behave 100% identical to milter usage because there is technical no difference at all so most likely you file is just recognized as email _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ________________________________ This e-mail and files transmitted with it are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you are not one of the named recipient(s) or otherwise have reason to believe that you received this message in error, please immediately notify sender by e-mail, and destroy the original message. Thank You. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
