[Clamav-users] Strange behavior of Clamav with HTML email from Outlook

From: Chinh Nguyen Tam <ntchinh(at)tma.com.vn>
Date: Mon Oct 01 2007 - 22:25:06 EDT

Greetings,

We've notice some strange behavior of clamav in our email server for. When we try to send some email (HTML format, Outlook 2003) with URL inside, clamav detects these email as Email.Foolball-2 virus. If we send the emails with the same URL in Thunderbird HTML format or in pure text,   clamav will let the emails pass by.
You can see the example of one Outlook HTML attached in this messages (please unpack with gzip).
Please advice if anyone met the same problem before and how to solve this.

Thank you very much!

 From maillog:

---

Oct 1 09:28:39 smail sendmail[31550]: l912Sd0V031550: from=<nhphuong@xxx.com.vn>, size=3856, class=0, nrcpts=2, msgid=<00f501c803d2$75465c20$
390ba8c0@nhphuong>, proto=ESMTP, daemon=MTA, relay=[192.168.11.57] Oct 1 09:28:39 smail sendmail[31550]: l912Sd0V031550: Milter add: header: X-Virus-Scanned: ClamAV 0.90.1/4442/Sun Sep 30 19:20:50 2007 on sma il.xxx.com.vn
Oct 1 09:28:39 smail sendmail[31550]: l912Sd0V031550: Milter add: header: X-Virus-Status: Infected with Email.Foolball-2 Oct 1 09:28:39 smail sendmail[31550]: l912Sd0V031550: Milter: data, reject=554 5.7.1 virus Email.Foolball-2 detected by ClamAV - http://www.c lamav.net
Oct 1 09:28:39 smail sendmail[31550]: l912Sd0V031550: to=<ntuanvu@xxx.com.vn>, delay=00:00:00, pri=63856, stat=virus Email.Foolball-2 detecte
d by ClamAV - http://www.clamav.net
Oct 1 09:28:39 smail sendmail[31550]: l912Sd0V031550: to=<soqc@xxx.com.vn>, delay=00:00:00, pri=63856, stat=virus Email.Foolball-2 detected b
y ClamAV - http://www.clamav.net

-- 
With best regards,
Chinh Nguyen Tam
ntchinh@tma.com.vn
Application Team - IT System Dept.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit 
http://wiki.clamav.nethttp://lurker.clamav.net/list/clamav-users.html

Received on Mon Oct 1 22:26:05 2007