Re: [clamav-users] Curious clamd behavior
Hi Dave, I opened https://bugzilla.clamav.net/show_bug.cgi?id=11544 to track this issue. Can you attach your mail file(s) and pdb signature(s) the bugzilla ticket please? I'd also like to know the details of MTA you are using and whether it uses milter or the clamd protocol directly. Thanks, Steve ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Curious clamd behavior
On Thu, 2016-03-24 at 10:24 -0700, Dennis Peterson wrote: > The blank line ends the header section. In a simple message it would > typically > follow the Subject: line. > That's correct, but that's not what clamd is seemingly looking for. It's looking for a blank line *before* the headers. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Curious clamd behavior
The blank line ends the header section. In a simple message it would typically follow the Subject: line. dp On 3/24/16 6:44 AM, Dave McMurtrie wrote: On Thu, 2016-03-24 at 11:05 +, Dave McMurtrie wrote: Hi, I created a local pdb database so I can catch phishing attempts when URLs in an email display our domain name but actually link to a malicious URL. In testing, I found something that I don't understand. When I run clamdscan on a test message it correctly detects a spoofed domain in the message. When my MTA connects to the clamd socket and asks it to scan the same exact message, it does not detect it. Replying to myself here and hoping one of the Clam developers can clue me in. I started to look at the code to figure out why it's not identifying this as type Mail when my MTA asks clamd to scan it, but it does when I manually run clamdscan. After decoding all the "Mail" types from filetypes_int.h, it appears as though the following matches should identify something as "Mail": >From Date: Delivered-To: Delivery-date: Envelope-to: Message-ID: Message-Id: Subject: To: X-Apparently-To: X-Envelope-From: X-Original-To: X-Real-To: X-Sieve: X-UIDL: My sample message has several of those headers, but none match when my MTA invokes clamd. Oddly, through dumb luck testing with telnet connecting to my MTA I seem to have figured out what's going on. clamd appears to only match any of these if there's a blank line as the first line of data I send. Meaning, if I do this it won't be identified as Mail: mail from:dav...@andrew.cmu.edu 250 2.1.0 dav...@andrew.cmu.edu... Sender ok rcpt to:dav...@andrew.cmu.edu 250 2.1.5 dav...@andrew.cmu.edu... Recipient ok data 354 Enter mail, end with "." on a line by itself Date: Thu, 24 Mar 2016 06:41:42 -0400 ...snipped for brevity... However, if I do this it will be identified as Mail and my pdb signature works correctly: mail from:dav...@andrew.cmu.edu 250 2.1.0 dav...@andrew.cmu.edu... Sender ok rcpt to:dav...@andrew.cmu.edu 250 2.1.5 dav...@andrew.cmu.edu... Recipient ok data 354 Enter mail, end with "." on a line by itself Date: Thu, 24 Mar 2016 06:41:42 -0400 ...snipped for brevity... Given that smtp protocol does not require (or even mention) that the first line of the DATA phase will be a crlf, I'm not sure how ClamAV would ever identify anything as type Mail. Am I doing something wrong here? I assume I must be, because I can't be the only person attempting to use a pdb database to do this. Thanks! Dave ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Curious clamd behavior
On Thu, 2016-03-24 at 11:05 +, Dave McMurtrie wrote: > Hi, > > I created a local pdb database so I can catch phishing attempts when > URLs in an email display our domain name but actually link to a > malicious URL. In testing, I found something that I don't understand. > > When I run clamdscan on a test message it correctly detects a spoofed > domain in the message. When my MTA connects to the clamd socket and > asks it to scan the same exact message, it does not detect it. Replying to myself here and hoping one of the Clam developers can clue me in. I started to look at the code to figure out why it's not identifying this as type Mail when my MTA asks clamd to scan it, but it does when I manually run clamdscan. After decoding all the "Mail" types from filetypes_int.h, it appears as though the following matches should identify something as "Mail": >From Date: Delivered-To: Delivery-date: Envelope-to: Message-ID: Message-Id: Subject: To: X-Apparently-To: X-Envelope-From: X-Original-To: X-Real-To: X-Sieve: X-UIDL: My sample message has several of those headers, but none match when my MTA invokes clamd. Oddly, through dumb luck testing with telnet connecting to my MTA I seem to have figured out what's going on. clamd appears to only match any of these if there's a blank line as the first line of data I send. Meaning, if I do this it won't be identified as Mail: mail from:dav...@andrew.cmu.edu 250 2.1.0 dav...@andrew.cmu.edu... Sender ok rcpt to:dav...@andrew.cmu.edu 250 2.1.5 dav...@andrew.cmu.edu... Recipient ok data 354 Enter mail, end with "." on a line by itself Date: Thu, 24 Mar 2016 06:41:42 -0400 ...snipped for brevity... However, if I do this it will be identified as Mail and my pdb signature works correctly: mail from:dav...@andrew.cmu.edu 250 2.1.0 dav...@andrew.cmu.edu... Sender ok rcpt to:dav...@andrew.cmu.edu 250 2.1.5 dav...@andrew.cmu.edu... Recipient ok data 354 Enter mail, end with "." on a line by itself Date: Thu, 24 Mar 2016 06:41:42 -0400 ...snipped for brevity... Given that smtp protocol does not require (or even mention) that the first line of the DATA phase will be a crlf, I'm not sure how ClamAV would ever identify anything as type Mail. Am I doing something wrong here? I assume I must be, because I can't be the only person attempting to use a pdb database to do this. Thanks! Dave ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Curious clamd behavior
Hi, I created a local pdb database so I can catch phishing attempts when URLs in an email display our domain name but actually link to a malicious URL. In testing, I found something that I don't understand. When I run clamdscan on a test message it correctly detects a spoofed domain in the message. When my MTA connects to the clamd socket and asks it to scan the same exact message, it does not detect it. I ran into a very similar problem before with a gdb database and never did figure it out. The big difference that I notice in looking at libclamav debug output is that when I ran clamdscan it detects it to be an email message and it calls cli_scanmail(): LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: Recognized ASCII text LibClamAV debug: Matched signature for file type Mail file LibClamAV debug: cache_check: 2abdd56b32d91583175dfd071e7019d1 is negative LibClamAV debug: Starting cli_scanmail(), recursion = 1 However, when my MTA connects to clamd it does not: LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: Recognized ASCII text LibClamAV debug: cache_check: 94e3a1ba1c23e73cb98e9a8e8a801479 is positive LibClamAV debug: cli_magic_scandesc: returning 0 at line 2791 (no post, no cache) LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: Recognized ASCII text LibClamAV debug: Matched signature for file type HTML data.UNOFFICIAL LibClamAV debug: cache_check: f82c03beb094dd4a77cd3074ce327601 is positive Oh, this is version: ClamAV 0.99.1/21471/Wed Mar 23 19:48:37 2016 Any thoughts? Thanks! Dave ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
