SpamBlocker 4.1 and ClamAV

LawsHosting · Jul 11, 2013

Can someone move this thread to the Email > SB4.1 forum please. Might get more insight.

Furthermore, the exim.conf Edit 46 (ClamAV) has

## deny if email contains malformed MIME header
deny message = This message contains malformed MIME (malformed_MIME: $demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}

So, it should disregard the message, correct?

zEitEr · Jul 12, 2013

The thread is moved now.

So, it should disregard the message, correct?

Would it be nice if we could try it to reproduce.

LawsHosting · Jul 18, 2013

Bump...... This bloody Win32:Evo trojan is getting spammed every day and getting through.... Searches suggests editing the acl but I may bodge it up

LawsHosting · Aug 5, 2013

Ok, I've left this thread for a while to see anyone else is having this issue with this particular virus, it seems as though I'm the only one, correct?

Dennis · Jul 4, 2014

Hi Peter,

I am scanning my servers every night besides the ClamAV emailscan and since a few days it warns me that there is a virus in some of the emails of customers. The script moves the e-mails to another qurantine location so (I hope) no harm is done. But I got the same issue with the virus "Win.Trojan.Agent-749246" and the message in my exim mainlog is: "demime acl condition: base64 line contains illegal character".

I have found this on the Exim website:

$demime_errorlevel
When an error is detected in a MIME container, this variable contains the severity of the error, as an integer number. The higher the value, the more severe the error (the current maximum value is 3). If this variable is unset or zero, no error occurred.

In exim.conf we have:

deny message = This message contains malformed MIME (malformed_MIME:$demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}

In my opinion every "error" in the MIME format has to be rejected, so why does this one come through?

Also found a post which was posted in 2005:

https://lists.exim.org/lurker/message/20050225.104717.d4d4f5fa.pl.html#exim-users

The post indicates that "demime acl condition: base64 line contains illegal character" is a level 2 error.
So should the condition in Exim.conf be:

deny message = This message contains malformed MIME (malformed_MIME:$demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{0}}

Or is there any other reason why we should not do that?

nobaloney · Jul 4, 2014

If you're asking what I think you're asking...

Should we allow any errors in mime through at all

Then my response would be yes, we should. Otherwise we won't accept email from broken senders.

However I'm open to discussion.

And of course as we move forward to merging my SpamBlocker exim.conf file with the official one, I'm no longer the arbiter

.

Jeff

Dennis · Jul 8, 2014

Hi Jeff,

Thank you for your view.

What do you mean by "broken senders"?

nobaloney · Jul 10, 2014

Email clients which don't properly manage mime and don't handle them properly in the email body.

Jeff

SpamBlocker 4.1 and ClamAV

LawsHosting

Verified User

zEitEr

Super Moderator

LawsHosting

Verified User

LawsHosting

Verified User

Dennis

Verified User

nobaloney

NoBaloney Internet Svcs - In Memoriam †

Dennis

Verified User

nobaloney

NoBaloney Internet Svcs - In Memoriam †