Mailing List Archive: Phishing caught on outbound mail but not on inbound

esperanto@spamcop.net wrote:
> I've noticed many times in the last few days, that an arriving phishing
> attempt is not caught by ClamAV. But when I forward that same phishing
> attempt as an attachment to another e-mail-address only a few minutes
> later, ClamAV blocks it, e.g. with the message 550 contains virus --
> (Phishing.Heuristics.Email.SpoofedDomain FOUND)
>
> I can accept that ClamAV blocks my forwarding, but why wasn't the mail
> blocked at arrival?

OP sent me a sample message which produced exactly the same behaviour.
We're both using the Mailtraq MTA which supports the official win32
distribution (0.92.1). Detection only takes place when the mime part is
Content-Type: message/rfc822.

The original inbound mail was 'single part' with Content-Type:
text/html. Similarly, detection doesn't take place when the mail client
forwards inline (as text/plain) rather than as an attachment.

So, is it bug or design -- does the heuristic algorithm require a mime
part of message/rfc822? Shouldn't it also fire when the offending urls
are presented as text/html or even text/plain?

Thanks in advance.
--

_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32