[Mimedefang] Re: MimeDefang vs clamav

[Jan Pieter Cornet]

On Thu, Aug 05, 2004 at 09:58:33AM -0700, Richard A Nelson wrote:
> Today, I see that clamdscan called by mimedefang is *still* not
> detecting Worm.Mydoom.M, whilst the subsequent clamav-milter *is* :(
> 
> The mimedefang->clamdscan *is* catching some, just not (for the nonce)
> some of the attempts:
> 	Worm.Mydoom.M, Worm.SomeFool.Gen-1, Worm.SomeFool.Gen-2
> so I'm left thinking that even though mimedefang and clamdscan are
> running different uids, there shouldn't be a permissions issue.

I'm just guessing here, but... are you sure your clamd is up to
date? (I'm not familiar with clamav-milter, does that use clamd
too, internally? Or does it use the clamav libs directly?)

Also... is "ScanMail" included in your clamav.conf?
 
> I'm running spamassassin 3.0pre2, so it is *not* the umask issue -
> I even perused the code to make sure...
> 
> Here's my mimedefang-filter(pretty stock) if anyone can help:
> 	http://www.cavein.org/mimedefang-filter

I can't find anything specific in the filter. You could try
md_copy_orig_msg_to_work_dir_as_mbox_file() instead of
md_copy_orig_msg_to_work_dir() what you have now, could be
that clamd doesn't recognise the mail otherwise (but I doubt it).

I just tried sending a mydoom.m to myself, and my mimedefang/clamd
blocks it just fine... and I'm not even using md_copy_orig_msg...!
(It very well might have been another mydoom.m variant that doesn't
abuse MIME as much).

-- 
#!perl -wpl # mmfppfmpmmpp mmpffm <pmmppfmfpppppfmmmf at fpffmm4mmmpmfpmf.ppppmf>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;                                # Jan-Pieter Cornet