Hi !!
>> exim's content scanning creates a mbox .eml file, so there (theorically)
>> will be no problem (i will test it through
>> http://www.webmail.us/testvirus, anyone asking for a test suite?), in
my tests with the eicar file show that clamd correctly demimes by
itself the .eml file and detects the virus signature, but in my tests
decode = default does nothing, the atachment is not saved to the
scan spool area. will try to debug it deeply.
> well, test #24 and 25 (message/partial and CLSID trick, whatever that
> is), since they do not contain any virus, will pass through in a basic
> configuratio (exim 4.50) with a data acl:
thos on mime_acl will catch some of the tests:
# CLSID hidden extension
deny condition = ${if match {$mime_filename}\
{\N\{[a-hA-H0-9-]{25,}\}\N}{yes}{no}}
message = Blacklisted extension (CLSID)
# Bounday Space Gap
deny condition = ${if match{$mime_boundary}{^( |\t)}{yes}{no}}
message = Broken MIME container (Boundary Space Gap)
# Empty MIME Boundary Vulnerability
deny condition = $mime_is_multipart
condition = ${if eq{$mime_boundary}{}{yes}{no}}
message = Broken MIME container (Empty MIME Boundary)
# Long MIME Boundary Vulnerability
deny condition = ${if >{${strlen:$mime_boundary}}{70}{yes}{no}}
message = Broken MIME container (Long MIME Boundary)
--
Best regards ...
It's a fine line between fishing & standing still
----------------------------------------------------------------
David Saez Padros http://www.ols.es
On-Line Services 2000 S.L. e-mail david@???
Pintor Vayreda 1 telf +34 902 50 29 75
08184 Palau-Solita i Plegamans movil +34 670 35 27 53
----------------------------------------------------------------
