Return to Support

Problems

Notes for various mail filters

amavisd-new

Amavis needs to pass the entire message body, unmodified, to ClamAV. This is accomplished via

$bypass_decode_parts = 1;

Alternatively, when $bypass_decode_parts is left at false, it is still possible to let a full original mail message reach a virus scanner by adding a match on ‘MAIL’ into @keep_decoded_original_maps, e.g.:

@keep_decoded_original_maps = (new_RE(
qr’^MAIL$’, # retain full original message for virus checking
qr’^MAIL-UNDECIPHERABLE$’, # recheck full mail if it contains undecipherables
qr’^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)’i,
));

You may find that you already have a ‘^MAIL$’ token in there, but commented out by default. Uncomment it, restart amavisd-maia, and the full, undecoded body of the email will be scanned in addition to the attachments.

For more information on the above, see this thread

You will also need to modify the spam_score_maps, for example…(remove the #’s) in order
to mark the email as spam or keep it marked as infected:

# @virus_name_to_spam_score_maps =
#   (new_RE(  # the order matters!
#     [ qr’^Structured\.(SSN|CreditCardNumber)\b’            => 0.1 ],
#     [ qr’^(Heuristics\.)?Phishing\.’                       => 0.1 ],
#     [ qr’^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)’      => 0.1 ],
#     [ qr’^Sanesecurity\.(Malware|Badmacro|Foxhole|Rogue|Trojan)\.’ => undef ],# keep as infected
#     [ qr’^Sanesecurity\.’                                  => 0.1 ],
#     [ qr’^Sanesecurity.TestSig_’                           => 0   ],
#     [ qr’^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.’ => 0   ],
#     [ qr’^BofhlandMW\.’                                    => undef ],# keep as infected
#     [ qr’^Bofhland\.Malware\.’                             => undef ],# keep as infected
#     [ qr’^Bofhland\.’                                      => 0.1 ],
#     [ qr’^winnow.malware\.’                                => undef ],# keep as infected
#     [ qr’^winnow\_’                                        => 0.1 ],
#     [ qr’^PhishTank\.Phishing\.’                           => 0.1 ],
#     [ qr’^Porcupine\.Malware\.’                            => undef ],# keep as infected
#     [ qr’^Porcupine\.’                                     => 0.1 ],
#     [ qr’^Email\.Spammail\b’                               => 0.1 ],
#     [ qr’^Safebrowsing\.’                                  => 0.1 ],
#     [ qr’^winnow\.(phish|spam)\.’                          => 0.1 ],
#     [ qr’^ScamNailer\.’                                    => 0.1 ],
#   ));

 

The side effect of this is that the mail will be virus scanned twice; once for the whole message, and again each decoded part.

Mail Scanner

Make sure the entire message is being scanned (MailScanner.conf)

ClamAV Full Message Scan = yes

Also make sure the clamd.conf line, contains the default line:

ScanMail yes

and you may also need the following patch (which will be included in the next version of MailScanner:

— /root/v4/NEWSTABLE/mailscanner/bin/MailScanner/SweepViruses.pm 2009-01-11 19:27:02.000000000 +0000
+++ SweepViruses.pm 2009-01-25 16:24:33.000000000 +0000
@@ -2724,6 +2724,8 @@
$file =~ s/^(./)?$BaseDir/?//;
$file =~ s/^.///;
my ($id,$part) = split ///, $file, 2;
+ # JKF 20090125 Full message check.
+ $part = “” if $id =~ s/.(message|header)$//; # Only log the whole message if no attachment has been logged
MailScanner::Log::InfoLog(“%s”, $logline)

Qmail-Scanner

You need to make sure the “–redundant yes” option is enabled – which makes Qmail-Scanner pass the entire message to AVs for scanning.

mimedefang-filter

Only the body is scanned by default, unless you call md_copy_orig_msg_to_work_dir() just before the call to message_contains_virus().

Permanent link to this article: https://sanesecurity.com/support/problems/