[Rspamd-Users] Kaspersky as External Service

Rob Gunther redrob at gmail.com
Wed Jul 24 09:31:53 UTC 2019

I am trying to setup scanning against Kaspersky, as an external ICAP
service.  Using RSPAMD v1.9.4

I can see RSPAMD is sending messages to the ICAP service and I can see
Kaspersky scanning them.  Kaspersky IS identifying the messages as infected
but the logs on RSPAMD always say the message was reported clean like this:

2019-07-24 08:59:35 #4135(controller) <f2c8be>; lua; common.lua:36:
kaspersky_icap (icap): message or mime_part is clean

What is RSPAMD looking for in the return?

I tested the connection to the ICAP service, from the RSPAMD server to
simulate what may be going on, using an icap-client and here is what that
returns when the same infected file is sent in:

c-icap-client -v -i -p 1344 -s av/reqmod -f /tmp/virus.eml
-d 9
ICAP server:, ip:, port:1344

Allocate a new entity of type 1
Allocate a new entity of type 3
Going to add 4 response headers
Add resp header: HTTP/1.0 200 OK
Add resp header: Date: Wed Jul 24 09:29:19 2019
Add resp header: Last-Modified: Wed Jul 24 09:29:19 2019
Add resp header: Content-Length: 18605
Preview response was with status: 100
Response was with status:200
Get entity from trash....
Get entity from trash....
OK reading headers, going to read body
<!DOCTYPE html>
        <meta charset="utf-8">
        <title>Access Denied by Kaspersky Web Traffic Security</title>
        <style rel="stylesheet" data-href="style.css">
            html { font-family: sans-serif; font-size: 13px; min-height:
480px; min-width: 640px; }
            body { margin: 0; text-align: center; }
            .header { position: absolute; top: 0; left: 0; right: 0;
height: 36px; line-height: 36px; vertical-align: middle; background-color:
#d74747; color: #ffffff; }
            .content-wrap { position: absolute; top: 36px; left: 0; right:
0; bottom: 0; margin-left: 63.5px; margin-right: 63.5px; }
            .application { position: absolute; top: 0; height: 30%; left:
0; right: 0; }
            .application h1 { position: absolute; bottom: 0; left: 0;
right: 0; font-size: 19px; vertical-align: bottom; font-weight: normal; }
            .content { position: absolute; height: 70%; bottom: 0; left: 0;
right: 0; }
            .text-macro a, .text-macro a:visited, .text-macro a:active {
color: #006d5c; text-decoration: none; }
            .description { position: absolute; top: 30%; left: 0; right: 0;
            .rule, .date { margin: 5px 0; }
            .date { margin-bottom: 10px; }
            .footer { color: #999999; position: absolute; bottom: 0; left:
0; right: 0; }
        <div class="header">Access denied</div>
        <div class="content-wrap">
            <div class="application"><h1>Kaspersky Web Traffic
            <div class="content"><div class="text-macro">
    <p>The requested page cannot be provided</p>
    <p>Address: <a></a></p>
    <p class="description">The web resource is prohibited at the company.
If you consider
    the blocking to be mistaken or if you need to access this web resource,
    contact the administrator of the local corporate network.</p>

<div class="footer">
    <p class="rule">Default Protection Rule</p>
    <p class="date">2019-Jul-24 05:29:20 (GMT 2019-Jul-24 09:29:20)</p>

        ICAP/1.0 200 OK
        ISTag: "KWTS_2019-07-24_09"
        Date: Wed, 24 Jul 2019 09:29:20 GMT
        Server: KAV-ICAP-Server/8.0
        X-ICAP-msg-id: x6O9TK185
        Encapsulated: res-hdr=0, res-body=73

        HTTP/1.1 403 Forbidden
        Content-Type: text/html
        Content-Length: 2114


So things seem to be working, but the reply that RSPAMD is getting is not
something that it is identifying as an infection.

Any ideas?

More information about the Users mailing list