From clamav-win32-bounces@lists.clamav.net Fri Jun 6 11:48:03 2008 Return-Path: X-Original-To: list@tad.clamav.net Delivered-To: list@tad.clamav.net X-Virus-Scanned: Debian amavisd-new at tad.clamav.net Received: from tad.clamav.net ([127.0.0.1]) by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NYUxjxGy+QSp; Fri, 6 Jun 2008 11:48:01 +0200 (CEST) Received: from tad.clamav.net (localhost.localdomain [127.0.0.1]) by tad.clamav.net (Postfix) with ESMTP id 01AAE16C238; Fri, 6 Jun 2008 11:48:01 +0200 (CEST) X-Original-To: clamav-win32@tad.clamav.net Delivered-To: clamav-win32@tad.clamav.net X-Virus-Scanned: Debian amavisd-new at tad.clamav.net Received: from tad.clamav.net ([127.0.0.1]) by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kg7N+BUyQlbe for ; Fri, 6 Jun 2008 11:47:58 +0200 (CEST) X-Greylist: delayed 1168 seconds by postgrey-1.27 at tad; Fri, 06 Jun 2008 11:47:58 CEST Received: from clayreed.com (clayreed.com [217.151.97.226]) by tad.clamav.net (Postfix) with ESMTP id A729416C021 for ; Fri, 6 Jun 2008 11:47:58 +0200 (CEST) Date: Fri, 06 Jun 2008 10:26:22 +0100 Message-ID: To: clamav-win32@lists.clamav.net From: Martin Clayton Organization: Clayton Reed Associates User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 References: <200805290712.DAA12415@eclipse.cise.ufl.edu> <48469E5B.70300@spamcop.net> In-Reply-To: <48469E5B.70300@spamcop.net> Received: from clayreed.com (news:local.mc.clamav-win32) by clayreed.com via news2mail gateway (Mailtraq 2.12.2.2372) id CLYR810251D4 for clamav-win32@lists.clamav.net; Fri, 06 Jun 2008 10:26:26 +0100 Subject: Re: [clamav-win32] Phishing caught on outbound mail but not on inbound X-BeenThere: clamav-win32@lists.clamav.net X-Mailman-Version: 2.1.9 Precedence: list Reply-To: clamav-win32@lists.clamav.net List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: clamav-win32-bounces@lists.clamav.net Errors-To: clamav-win32-bounces@lists.clamav.net esperanto@spamcop.net wrote: > I've noticed many times in the last few days, that an arriving phishing > attempt is not caught by ClamAV. But when I forward that same phishing > attempt as an attachment to another e-mail-address only a few minutes > later, ClamAV blocks it, e.g. with the message 550 contains virus -- > (Phishing.Heuristics.Email.SpoofedDomain FOUND) > > I can accept that ClamAV blocks my forwarding, but why wasn't the mail > blocked at arrival? OP sent me a sample message which produced exactly the same behaviour. We're both using the Mailtraq MTA which supports the official win32 distribution (0.92.1). Detection only takes place when the mime part is Content-Type: message/rfc822. The original inbound mail was 'single part' with Content-Type: text/html. Similarly, detection doesn't take place when the mail client forwards inline (as text/plain) rather than as an attachment. So, is it bug or design -- does the heuristic algorithm require a mime part of message/rfc822? Shouldn't it also fire when the offending urls are presented as text/html or even text/plain? Thanks in advance. -- _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32