Hello,
Using exim 4.72 I have been trying to track down a problem where mail
with some form of detected malware has been rejected. We tend to reject
anything detected by ClamAV's own signatures, but mark those which are
'UNOFFICIAL'. This has worked fine, but we are now seeing some mail
rejected and the reported malware name - from the malware_name variable
is (e.g.): 457)
This is the actual name being reported by 'malware_name' - '457)'.
Our logs show that other messages have been rejected, with the number in
the message varying.
It seems that the InetMsg spamdomain third-party signatures are being
reported by ClamAV as (e.g.):
INetMsg.SpamDomain-2m.engduates_com.UNOFFICIAL(924747f3c8e4b999eb887c755839021b:457)
Our clamd log file shows the same name as being detected.
As can be seen the name does not end in 'UNOFFICIAL', but has some
string after it. The '457' does not refer to the line number. Checking
the 'INetMsg-SpamDomains-2m.ndb' shows the relevant line simply as:
INetMsg.SpamDomain-2m.engduates_com:4:*:(2e|2f|40|20|3c|
5f)656e676475617465732e636f6d(27|22|20|2f|3d|5f|3e|0a|0d)
which looks fine. In that respect it seems the 'malware_name' variable
has a problem in reporting the correct name.
Regards,
John.
--
John Horne Tel: +44 (0)1752 587287
University of Plymouth, UK Fax: +44 (0)1752 587001
