[Mimedefang] Problem: Clamav-0.90 + Mimedefang 2.61

PF kernel at pkts.ca
Mon Feb 19 02:29:31 EST 2007 

Everything is fixed; eicar.aaa wasn't detected because my hand-crafted
email virus sender (tcl/expect) specified the attachment was mime
encoded, when it was just plain text.  The Eicar virus is special that
way; every character is printable, so I forgot to mime-encode it.  It
was weird; the scanner would find the zipped viruses, but not the plain
one.

I'm including my handy program for testing virus scanning.  It depends
on the presence of 'expect' and 'telnet'.

Usage: testvirus whatvirus emailaddress <emailaddress...>
  This will send a test virus to the emailaddresses.
  Set whatvirus to one of these values
    0: Eicar virus
    1: zipped Eicar
    2: zipped+encrypted Eicar
    3: double-zipped Eicar
    4: zipped+zipped+encrypted Eicar
    5: Hello world
Sorry, the mail host to test and email addresses are hardcoded inside
the program, but hey, at least there's no config file to mess with.

On Sun, 2007-02-18 at 20:51 -0800, PF wrote:
> Hi...
> 
> Clamav started reporting that a new version was out, and I should
> upgrade.  I did (to 0.90), and then Mimedefang broke.
> 
> So, I upgraded Mimedefang (to 2.61).  Didn't fix the problem.  The
> problem shows up as:
> 
> mimedefang.pl[32265]: Problem running virus scanner: code=226,
> category=swerr, action=tempfail
> 
> I've seen worse error messages, but they didn't have english in them.
> 
> Part of my problem is that the 'lam' package (lam-7.1.1-7.FC3.i386.rpm)
> was installed when I installed the new version of mimedefang.  Lam
> contains a utility called 'sweep', which conflicts with the name of the
> Sophos antivirus program.  Typing 'rpm -e lam' isn't enough, you also
> have to edit /usr/bin/mimedefang.pl and replace '/usr/bin/sweep' with
> '/bin/false'.
> 
> Second part of the problem is that clamav doesn't accept the --mbox
> command line option any more; edit /usr/bin/mimedefang.pl again.
> 
> Mail is moving again, but it's not detecting viruses (like eicar.com,
> renamed to eicar.aaa).  Arrrgh.. more debugging to do.

-- 
PF <kernel at pkts.ca>
-------------- next part --------------
#!/usr/bin/expect -f

if {[llength $argv]<2} {
  puts "Usage: $argv0 whatvirus username <username...>";
  puts "  This will send a test virus to that username";
  puts "  Set whatvirus to one of these values";
  puts "    0: Eicar virus";
  puts "    1: zipped Eicar";
  puts "    2: zipped+encrypted Eicar";
  puts "    3: double-zipped Eicar";
  puts "    4: zipped+zipped+encrypted Eicar";
  puts "    5: Hello world";
  exit 2;
}

set virus [lindex $argv 0]
set argv [lrange $argv 1 end]
if {$virus < 0 || $virus > 5} {
  puts "Error: virus number ranges from 0 to 5."
  exit 0;
}

#log_user 0
set timeout 45
spawn telnet example.mailhost.com 25
match_max 100000
expect -re "220.*\n"
send -- "helo myhost.example.com\r"
expect -re "250 .*\n"

send -- "mail from: <myaddress at foo.bar.com>\r"
expect -re "250 .*\n"

set vbody ""
set extra ""

if {$virus == 0} {
  #    0: Eicar virus
set vname "eicar.aaa"
set vtype "text/plain"
set extra "; charset=us-ascii"
set vbody "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy\n1URVNULUZJTEUhJEgrSCo=\n"
}

if {$virus == 1} {
  #    1: zipped Eicar
set vname "eicar.zip"
set vtype "application/x-java-archive"
set vbody "UEsDBAoAAAAAAOMIjzA8z1FoRAAAAEQAAAAJABUAZWljYXIuY29tVVQJAAOpQn5A3WvYRV\nV4BAAAAAAAWDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFO\nVElWSVJVUy1URVNULUZJTEUhJEgrSCpQSwECFwMKAAAAAADjCI8wPM9RaEQAAABEAAAACQ\nANAAAAAAABAAAAgIEAAAAAZWljYXIuY29tVVQFAAOpQn5AVXgAAFBLBQYAAAAAAQABAEQA\nAACAAAAAAAA="
}

if {$virus == 2} {
  #    2: zipped+encrypted Eicar
set vname "eicarenc.zip"
set vtype "application/x-java-archive"
set vbody "UEsDBAoACQAAAOMIjzA8z1FoUAAAAEQAAAAJABUAZWljYXIuY29tVVQJAAOpQn5AkGzYRV\nV4BAAAAAAAqToZVlCt9mn5sVtRuzb5A8tvxqBW7G4gTV2sJnqmqf7SKwKmaScEtDplp5mz\n0VS21ki/JmoYTyxZbP+gisHIDjMwH02KJBM+LAor5D6Tw/FQSwcIPM9RaFAAAABEAAAAUE\nsBAhcDCgAJAAAA4wiPMDzPUWhQAAAARAAAAAkADQAAAAAAAQAAAICBAAAAAGVpY2FyLmNv\nbVVUBQADqUJ+QFV4AABQSwUGAAAAAAEAAQBEAAAAnAAAAAAA\n"
}

if {$virus == 3} {
  #    3: double-zipped Eicar
set vname "eicar2.zip"
set vtype "application/x-java-archive"
set vbody "UEsDBAoAAAAAAGY5UjYQ+53z2gAAANoAAAAJABUAZWljYXIuemlwVVQJAAOQbNhFkGzYRV\nV4BAAAAPQBUEsDBAoAAAAAAOMIjzA8z1FoRAAAAEQAAAAJABUAZWljYXIuY29tVVQJAAOp\nQn5A3WvYRVV4BAAAAAAAWDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU\n5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCpQSwECFwMKAAAAAADjCI8wPM9RaEQA\nAABEAAAACQANAAAAAAABAAAAgIEAAAAAZWljYXIuY29tVVQFAAOpQn5AVXgAAFBLBQYAAA\nAAAQABAEQAAACAAAAAAABQSwECFwMKAAAAAABmOVI2EPud89oAAADaAAAACQANAAAAAAAA\nAAAAgIEAAAAAZWljYXIuemlwVVQFAAOQbNhFVXgAAFBLBQYAAAAAAQABAEQAAAAWAQAAAA\nA=\n"
}

if {$virus == 4} {
  #    4: zipped+zipped+encrypted Eicar
set vname "eicar2enc.zip"
set vtype "application/x-java-archive"
set vbody "UEsDBAoAAAAAAMM7UjZY9eOn9gAAAPYAAAAMABUAZWljYXJlbmMuemlwVVQJAAP9cNhFKn\nHYRVV4BAAAAAAAUEsDBAoACQAAAOMIjzA8z1FoUAAAAEQAAAAJABUAZWljYXIuY29tVVQJ\nAAOpQn5AkGzYRVV4BAAAAAAAqToZVlCt9mn5sVtRuzb5A8tvxqBW7G4gTV2sJnqmqf7SKw\nKmaScEtDplp5mz0VS21ki/JmoYTyxZbP+gisHIDjMwH02KJBM+LAor5D6Tw/FQSwcIPM9R\naFAAAABEAAAAUEsBAhcDCgAJAAAA4wiPMDzPUWhQAAAARAAAAAkADQAAAAAAAQAAAICBAA\nAAAGVpY2FyLmNvbVVUBQADqUJ+QFV4AABQSwUGAAAAAAEAAQBEAAAAnAAAAAAAUEsBAhcD\nCgAAAAAAwztSNlj146f2AAAA9gAAAAwADQAAAAAAAAAAAICBAAAAAGVpY2FyZW5jLnppcF\nVUBQAD/XDYRVV4AABQSwUGAAAAAAEAAQBHAAAANQEAAAAA\n"
}

if {$virus == 5} {
  #    5: not a virus
set vname "testing"
set vtype "application/octet-data"
set vbody "SGVsbG8gd29ybGQK\n"
# Hello world
}


while {[llength $argv]>0} {
  set who [lindex $argv 0]
  set argv [lrange $argv 1 end]
  send -- "rcpt to: <$who>\r"
  expect {
    -re "250 .*\n" {
      send "data\r"
      send "From: Virus tester <myaddress at foo.bar.com>\r"
      send "To: <$who>\r"
      send "Subject: test $vname\r"
      send "Content-Type: multipart/mixed; boundary=\"=-95QF/OAr47MMCMD7EMcF\"\r"
      send "Message-Id: <1171813768.19976.6.camel at moby.mick>\r"
      send "Mime-Version: 1.0\r"
      send "X-Mailer: Evolution 2.8.3 (2.8.3-1.fc6) \r"
      send "\r"
      send "\r"
      send -- "--=-95QF/OAr47MMCMD7EMcF\r"
      send "Content-Type: text/plain\r"
      send "Content-Transfer-Encoding: 7bit\r"
      send "\r"
      send "Test of $vname standard test virus\r"
      send "\r"
      send -- "--=-95QF/OAr47MMCMD7EMcF\r"
      send "Content-Disposition: attachment; filename=$vname\r"
      send "Content-Type: $vtype; name=$vname$extra\r"
      send "Content-Transfer-Encoding: base64\r"
      send "\r"
      send "$vbody\r"
      send "\r"
      send -- "--=-95QF/OAr47MMCMD7EMcF--\r"
      send "\r"
      send ".\r"
    }
    -re "513 .*\n" { puts "bad $who"; }
    -re "550 .*\n" { puts "bad $who"; }
    timeout { puts "unknown $who";}
  }
}

send -- "quit\r"
#expect -re "250 .*\n"
expect eof

More information about the MIMEDefang mailing list