spam first, then virus?

Matt Kettler mkettler at EVI-INC.COM
Mon Oct 27 19:40:03 GMT 2003

At 02:15 PM 10/27/2003, Andy Alsup wrote:
>My users get a lot of  mail that was scanned as a virus, and delivered
>without the attachement.  The Microsoft update variations I see a lot.
>My question is:  Can those messages be scanned by the spam scanner
>before the virus scanner?  I think a lot of these messages would be
>blocked by pattern matching and RBL as spam, and then deleted, or marked
>as {spam} first, then {virus}, and thus handled by the user's {spam} rules.

I don't know about your system, but my copy of MailScanner always runs BOTH
virus and spam checks on every message. It doesn't skip spam checks just
because it found a virus. I've often gotten messages with both tags in the
subject line, ie:

         Subject: {VIRUS} {SPAM} letter

As for the microsoft update variations, unless you've added rules,
SpamAssassin generally does not catch these messages unless you heavily
train them into bayes. Since most of these messages come from virus
infected users instead of spammers, they generally don't match any RBLs
either. They do tend to match razor, but that alone isn't much help...

The latest MS update worm message I got (successfully identified as a
virus) got this result from SA 2.60:

X-EVI-MailScanner-SpamCheck: not spam, SpamAssassin (score=3.983, required 5,
         BAYES_30 -0.90, HTML_90_100 1.19, HTML_MESSAGE 0.10,
         MIME_MISSING_BOUNDARY 1.84, RAZOR2_CF_RANGE_51_100 1.10)

As I said above, I could train these messages into bayes to help the SA
score out quite a lot, but I've got all of the SA 2.60 RBLs enabled and the
message didn't hit a single one of them.

More information about the MailScanner mailing list