E-mailing generated EPUB files triggers ClamAV virus detector

[mikebw]

Running 64-bit Calibre 2.35 on Windows 8 to download and generate EPUB files, I configured auto-send to e-mail through my own Debian Linux mail server running Exim 4.80-7+deb7u1 with ClamAV 0.98.7+dfsg-0+deb7u1 that checks every message via clamd.

When trying to send The New York Times EPUB -- and I should clarify that this is just that publication, not other publications -- Exim reports (user names and e-mail addresses obscured):

Code:

SMTPDataError: (550, 'This message was detected as possible malware (PUA.Phishing.Bank)')
 
Called with args: (u'C:\\Users\\XXXXX\\AppData\\Local\\Temp\\calibre_as5cqv\\hkmrldcaltmpfmt.epub', u'New York Times.epub', u'XXXXX@XXXXX', u'News: New York Times', u'Attached is the New York Times periodical downloaded by calibre.') {u'abort': <threading._Event object at 0x0000000009A4E940>, u'log': <calibre.utils.logging.GUILog object at 0x0000000009A4E7F0>, u'notifications': <Queue.Queue instance at 0x0000000009B96CC8>}

If I manually upload the file in question to the Debian Linux server and run clamscan over it, there is no detection:

Code:

$ clamscan hkmrldcaltmpfmt.epub
hkmrldcaltmpfmt.epub: OK

----------- SCAN SUMMARY -----------
Known viruses: 3960851
Engine version: 0.98.7
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 26.60 MB
Data read: 11.53 MB (ratio 2.31:1)
Time: 14.897 sec (0 m 14 s)

So my inference is that the Base64 encoding of the EPUB must be what is triggering the (I assume) false positive, but I have no idea how to capture that.

Has anyone else seen this? Does anyone have suggestions on further diagnosis?

[kovidgoyal]

I highly doubt clamav would not decode attachments before scanning them. More likely it has additional checks when running in the exim context, one of which is trigerring.