Pegasus Mail & Mercury

We are using the latest available versions of Mercury/32 (v4.62), ClamWall (1.4.0.96) and ClamAV (0.95.2 from tBB), all running as Windows services.

The production mail server at the office is running under Windows XP-SP3, and at home I have Mercury/32 running on a Windows 2000-SP4 machine. As far as I can see, both installations and settings are identical.

The problem is with ClamAV not filtering on header information at the production server. I know this because there are test signatures available from Sanesecurity for ClamAV that can be put in messages to test the filtering. See: http://www.sanesecurity.co.uk/sigtests.htm

The two test signatures for the mail body are filtered by both servers, but the test signature for the subject (header) field is only filtered by my server at home, and not by our production server.

Does anyone have an idea what can be the cause of this?

kwikzilver:

Does anyone have an idea what can be the cause of this?

Not really. ClamWall passes the whole mail to ClamD without any modifications and, as the test signature in the body is recognized at both installations it seems that the SaneSecurity signatures are also correctly loaded. The only thing which comes to my mind is that some other intance (e.g. a daemon) modified the Subject header before ClamWall got it.

Best regards,

Nico

Thanks for your quick reply Nico!

What kind of other daemon could this be? As far as I know, there are no other daemons active.

Also, the strange thing is that the message that comes through unfiltered still does have the SaneSecurity signature in the subject field, so it looks like being not modified.

  UPDATE:

Why I don't know, but it suddenly appears to be working now! The subject signature is now filtered as well. So please ignore my post. May be it was due to not all signature databases being updated from the SaneSecurity servers?

Anyhow, Thanks Nico, for your great software! Now that I have upgraded to the latest version of ClamAV a lot more spam is being filtered again, which makes my boss happy

Kind regards,

Ed

kwikzilver:

The problem is with ClamAV not filtering on header information at the production server. I know this because there are test signatures available from Sanesecurity for ClamAV that can be put in messages to test the filtering. See: http://www.sanesecurity.co.uk/sigtests.htm

The two test signatures for the mail body are filtered by both servers, but the test signature for the subject (header) field is only filtered by my server at home, and not by our production server.

Does anyone have an idea what can be the cause of this?

I see it is now working, but a possible explanation has to do with the .ftm files.  There is one in the 'daily' data from Clamav, and Sansecurity provide one too, as mentioned in the link you provide. These determine the file types, and in particular, what is recognised as a mail message.  It is possible that the message to the production server had a different header structure and was not properly identified. (It is a fairly recent introduction to the Sanesecurity signatures, and may still need some additional 'tweaking'.)

Thanks for your addition PaulW.

It indeed is working OK on both servers, now after several tests from several locations and mail applications. So I am confident that it is fine now.

The file sanesecurity.ftm is not listed in the default ClamSup.ini file from tBB, and until now I didn't download and thus use it on both servers.

Is it my correct understanding that the ftm file contents (defining the type of messages to be recognised) is also part of the daily.cld file that comes in via freshClam? If so, can it be that there is a difference between the freshClam and the SaneSecurity ftm files? And if so, could it not cause problems to use both those files together?

Or do I always need a separate ftm file in the data directory (which I currently don't have)?

The SaneSecurity.ftm file is not downloaded by the script because usually it's not needed. Currently the only known case where it's needed is the Linux MailScanner application which doesn't pass the unmodified mail to ClamD.

Best regards,

Nico

Thanks again Nico, for clearing this up.

I will keep the config as it is now (never fix it if it aint broken ;-).

I have another (performance) issue with your CamAV implementation, but this does not have anything to do with Mercury32 (I think), so I will contact you directly through your web site.

Regards,

Ed