[EMAIL PROTECTED] wrote: > I've noticed many times in the last few days, that an arriving phishing > attempt is not caught by ClamAV. But when I forward that same phishing > attempt as an attachment to another e-mail-address only a few minutes > later, ClamAV blocks it, e.g. with the message 550 contains virus -- > (Phishing.Heuristics.Email.SpoofedDomain FOUND) > > I can accept that ClamAV blocks my forwarding, but why wasn't the mail > blocked at arrival?
OP sent me a sample message which produced exactly the same behaviour. We're both using the Mailtraq MTA which supports the official win32 distribution (0.92.1). Detection only takes place when the mime part is Content-Type: message/rfc822. The original inbound mail was 'single part' with Content-Type: text/html. Similarly, detection doesn't take place when the mail client forwards inline (as text/plain) rather than as an attachment. So, is it bug or design -- does the heuristic algorithm require a mime part of message/rfc822? Shouldn't it also fire when the offending urls are presented as text/html or even text/plain? Thanks in advance. -- _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32
