[Rspamd-Users] rspamd with clamav and clamav-unofficial-sigs from Sanesecurity

G.W. Haywood rspamd at jubileegroup.co.uk
Thu Nov 25 14:34:46 UTC 2021 

Hi there,

On Thu, 25 Nov 2021, Andreas Wass - Glas Gasperlmair wrote:

> ... think i missunderstood something and now it seems to work :-)
>
> I sent the strings as plaintext in a message and nothing happend because in 
> my case (Configuration rspamd with clamav) rspamd takes control over text 
> headers and bodys and not clamav.
>
> clamav takes effect, when attchments with viruses or virusstrings come in
>
> If i put your strings or the testrings from 
> https://sanesecurity.com/support/signature-testing/ in files and send these 
> to my mailserver, then these mails all are blocked

It's not always obvious what's going on.  The documentation on writing
signatures explains that there are ways to specify for each individual
signature how it should be used - for example it might only be used
against certain types of data, or it might be used to scan all types.
There are also scanning configuration options which set limits on such
things as file sizes, numbers of files in archives and scan times.  It
may be such a limit which prevents something from being scanned.  You
should be careful if you change some of the limits, as some of them
are there to prevent Denial Of Service (DOS) conditions caused by (for
example) excessive resource consumption during scanning.

In addition, the tool which stands between the MTA and the scanner may
make its own decisions about what to send to the scanner.  If you have
rspamd configured to send only attachments for scanning then I imagine
that much spam will not be scanned because there is no attachment in a
lot of spam.  Malicious content will _almost_ always be in the form of
an attachment, but - in addition to hoping that the scanner recognizes
malicious content when it sees it - you need to be sure the malicious
party hasn't discovered a way of hiding the attachment from the tool
which extracts it to send to the scanner.  My own milters dismantle
all MIME messages and check that the structure is correct according to
the RFCs before scanning each MIME part (the entire mail, not just the
attachments).  If the MIME structure fails the tests, then in my book
that's a good reason to prevent delivery.

> And now in my rspamd logfile i can see something like this:
> forced: reject "clamav: virus found: 
> "YARA.Garbage_spam_indicator_0003.UNOFFICIAL"
> forced: reject "clamav: virus found: 
> "YARA.Sanesecurity_TestSig_Type4_Bdy_3.UNOFFICIAL"
> 
> So this is the comfirmation that clamav works with the new signatures

It's good to keep an eye on those logs.

> Thank you so much!

You're most welcome, I'm glad to be able to help. :)

-- 

73,
Ged.

More information about the Users mailing list