|Main Archive Page > Month Archives > clamav-users archives|
Phil Chambers wrote:
> I was not aware that there was any way to get clamd to do anything other than
> check the content of messages. The Sanesecurity signatures are just a set of
> phishing and scam signatures for ClamAV which are used in addition to the
> standard ClamAV ones.
> Given that ClamAV reports finding "Email.Spam.Sanesecurity.Url_269", for
> example, how do I look up the signature that clamd is using for that?
Grep that string from the Sane Security patterns. This one is in scam.ndb and produces this:
Copy the hex string beginning with 4E to the end and paste it into the right hand window at this location:
Then click decode. You must do this because if I paste in the solution here many mail systems will reject this post. While the name suggests it is a URL sig it is not. It is a simple regex pattern of clearly objectionable content. It is not the kind of thing ClamAV should miss the first time through unless there is a mime decode error or other policy that prevents scanning messages from the particular source to to a particular recipient.