Amavisd phish & malware headers question

I am marking and passing malware e-mails to a special review
account for
possible listing in URIBL Black (in their malware cluster). 
Just
curious to know why amavisd would write all of the duplicate
malware
headers to a single message:

X-Spam-Status: Yes, score=56 required=5
	tests=[AV:Email.Malware.Sanesecurity.07051800=7.5, 
MY_TEST=3.5,
	 AV:Email.Malware.Sanesecurity.07051800=7.5,
	 AV:Email.Malware.Sanesecurity.07051800=7.5,
	 AV:Email.Malware.Sanesecurity.07051800=7.5,
	 AV:Email.Malware.Sanesecurity.07051800=7.5,
	 AV:Email.Malware.Sanesecurity.07051800=7.5,
	 AV:Email.Malware.Sanesecurity.07051800=7.5]


When I scan the same raw message file with clamdscan I only
see one result:
=====
clamdscan /home/amavis/test.eml
/home/amavis/test.eml: Email.Malware.Sanesecurity.07051800
FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.310 sec (0 m 0 s)
=====

I also periodically see the same with phish e-mail, too:

X-Spam-Status: Yes, score=26 required=5
	tests=[AV:Phishing.Email.SSL-Spoof=7.5,  MY_TEST=3.5,
	 AV:Phishing.Email.SSL-Spoof=7.5, 
AV:Phishing.Email.SSL-Spoof=7.5]


And with clamdscan directly on the raw message file:
=====
clamdscan /home/amavis/test2.eml
/home/amavis/test2.eml: Phishing.Email.SSL-Spoof FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.084 sec (0 m 0 s)
=====

Again, it not a big deal, just more of a curiosity
question.

Thanks,

Bill

------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

Bill,

> I am marking and passing malware e-mails to a special
review account for
> possible listing in URIBL Black (in their malware
cluster).  Just
> curious to know why amavisd would write all of the
duplicate malware
> headers to a single message:
>
> X-Spam-Status: Yes, score=56 required=5
> 	tests=[AV:Email.Malware.Sanesecurity.07051800=7.5, 
MY_TEST=3.5,
> 	 AV:Email.Malware.Sanesecurity.07051800=7.5,
> 	 AV:Email.Malware.Sanesecurity.07051800=7.5,
> 	 AV:Email.Malware.Sanesecurity.07051800=7.5,
> 	 AV:Email.Malware.Sanesecurity.07051800=7.5,
> 	 AV:Email.Malware.Sanesecurity.07051800=7.5,
> 	 AV:Email.Malware.Sanesecurity.07051800=7.5]

amavisd passes each mail component (unless decoding is
disabled)
to virus scanners. Perhaps clamd triggered on each mail
part.

Or there may be an issue with cached results from previous
attempts,
try:
  $virus_check_negative_ttl=0;  # time to cache contents
when not infected
  $virus_check_positive_ttl=0;  # time to cache contents
when infected
  $spam_check_negative_ttl =0;  # time to cache contents as
not spam
  $spam_check_positive_ttl =0;  # time to cache contents as
spam
just to rule out this possibility.

The final answer lies in your log.

  Mark

------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

Mark Martinec wrote the following on 5/31/2007 1:16 AM
-0800:
> Bill,
>
>   
>> I am marking and passing malware e-mails to a
special review account for
>> possible listing in URIBL Black (in their malware
cluster).  Just
>> curious to know why amavisd would write all of the
duplicate malware
>> headers to a single message:
>>
>> X-Spam-Status: Yes, score=56 required=5
>> 	tests=[AV:Email.Malware.Sanesecurity.07051800=7.5,
 MY_TEST=3.5,
>> 	 AV:Email.Malware.Sanesecurity.07051800=7.5,
>> 	 AV:Email.Malware.Sanesecurity.07051800=7.5,
>> 	 AV:Email.Malware.Sanesecurity.07051800=7.5,
>> 	 AV:Email.Malware.Sanesecurity.07051800=7.5,
>> 	 AV:Email.Malware.Sanesecurity.07051800=7.5,
>> 	 AV:Email.Malware.Sanesecurity.07051800=7.5]
>>     
>
> amavisd passes each mail component (unless decoding is
disabled)
> to virus scanners. Perhaps clamd triggered on each mail
part.
>   

I have:  $bypass_decode_parts = 1;

> Or there may be an issue with cached results from
previous attempts,
> try:
>   $virus_check_negative_ttl=0;  # time to cache
contents when not infected
>   $virus_check_positive_ttl=0;  # time to cache
contents when infected
>   $spam_check_negative_ttl =0;  # time to cache
contents as not spam
>   $spam_check_positive_ttl =0;  # time to cache
contents as spam
> just to rule out this possibility.
>   
I think these are set to the defaults:

$virus_check_negative_ttl=  3*60;  # time to cache contents
when not 
infected
$virus_check_positive_ttl= 30*60;  # time to cache contents
when infected
$spam_check_negative_ttl = 10*60;  # time to cache contents
as not spam
$spam_check_positive_ttl = 30*60;  # time to cache contents
as spam
> The final answer lies in your log.
>   
If I find any more of these, I'll check to see what the log
reports.

Thanks,

Bill

------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/