spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: clamav plugin?

2004-01-29 12:42:39
from [Guillaume Filion] [Permanent Link] 
"frank" <ratty(_at_)they(_dot_)org> wrote:
Just today I installed clamav and I'm having problems with it too. In my
case, I finally tracked it down to SPF. The SPF plugin adds a
"Received-SPF:" header to the top of the message and I believe clamav is
choking on it because it wants to read a plain "Received:" header. I
haven't checked clamav sources but experimentation shows this to be the
case. I guess I could add an extra blank "Received:" inside the plugin
code for a quick fix.


Yep, you've got it. I can reproduce with a sample virus message (with full
headers). I put a Received-SPF header on top of the message in file
"virus-bug-clamav-withspf" and I put the exact same message without the
Received-SPF header in virus-bug-clamav-nospf.

gfk(_at_)ali:~$ head -n 2 virus-bug-clamav-nospf
Received: from wifi-d9148176.obudanet.hu (HELO netvision.net.il)
(217.20.129.118)
  by baba.logidac.com (qpsmtpd/0.27-dev) with ESMTP; Wed, 28 Jan 2004
15:20:07 +0000
gfk(_at_)ali:~$ head -n 2 virus-bug-clamav-withspf
Received-SPF: unknown (domain of sender 
nitsanko(_at_)netvision(_dot_)net(_dot_)il does not
designate mailers)
Received: from wifi-d9148176.obudanet.hu (HELO netvision.net.il)
(217.20.129.118)

gfk(_at_)ali:~$ clamscan --mbox --disable-summary virus-bug-clamav-withspf
virus-bug-clamav-withspf: OK
gfk(_at_)ali:~$ clamscan --mbox --disable-summary virus-bug-clamav-nospf
virus-bug-clamav-nospf: Worm.SCO.A FOUND

I'm crossposting this on the SPF mailing list where it's sure to spark
interest.

Thanks a lot for finding that out,
GFK's
-- 
Guillaume Filion, ing. jr
Logidac Tech., Beaumont, Québec, Canada - http://logidac.com/
PGP Key and more: http://guillaume.filion.org/

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
Wiki: 
http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/HomePage
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)½§Åv¼ð¦ç?2b¥yÈbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  The next IETF meeting will have a BOF that discusses SPF, wayne
Next by Date:  procmail, Meng Weng Wong
Previous by Thread:  The next IETF meeting will have a BOF that discusses SPF, wayne
Next by Thread:  Re: Re: clamav plugin?, Guillaume Filion
Indexes:  [Date] [Thread] [Top] [All Lists]