Viruses tagged as spam

Mon Apr 12 18:27:45 IST 2004

This is an example of the patience I admire. Thanks to Matt Kettler for the
answer.

BTW, SA is being a little less "don't care" since a version or two ago. Some
rules will flag viruses as spam because of their characteristics - and
DCC/PYZOR/RAZOR checks will sometimes do that too.

-----Original Message-----
From: Matt Kettler [mailto:mkettler at evi-inc.com] 
Sent: Monday, April 12, 2004 11:47 AM
To: alex at nkpanama.com
Subject: Re: Viruses tagged as spam

At 12:28 PM 4/12/2004, Alex Neuman wrote:
>I seem to be getting a lot of viruses marked as high-scoring spam 
>lately. Seems most of them come from machines infected with the latest 
>netsky/bagle iterations, but get marked by DCC/Pyzor/etc. - could I be 
>doing something wrong? Does anybody else experience the same situation?

Yes, I've seen that many times.. and it's not a bug.

In general SA takes a "don't care" approach to viruses. The rules are never 
designed to catch viruses, but they are also not designed to avoid tagging 
them either.

>Second, since most spams are short, and most spam is stopped by most 
>postmasters by using RBL's (local, commercial or otherwise) at the 
>gateway MTA, could there be an option to virus scan first, and *then* 
>scan for spam? Spam scanning should be unnecessary if you *know* it's a 
>virus, right?

As Peter pointed out, this is very commonly asked/discussed topic.

You might want to read this FAQ:
http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/277.html

In short, MS is intentionaly designed to do the oposite of what you 
suggest.. it spam scans first, and THEN virus scans, but will skip 
high-scoring spams. The reason for this is that the attachment decoding 
done before a virus scan is a lot more intensive than you think, and 
generally more intensive than a SA run.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Alex Neuman
Sent: Monday, April 12, 2004 11:45 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Viruses tagged as spam

Point taken. I'll look into the archives to see if in fact it's been
explained once a month; I've been on the list for more than a month and
haven't run into any discussions or explanations on this. I admire his
patience as well; I also admire the patience of other list members who take
the time to answer questions and point to specific articles in the archives,
MAQ, FAQ, etc. even though the question has been asked a gazillion times
before instead of just saying "it's in the archives". I hope to one day be
proficient enough in the use, care and feeding of a MailScanner installation
to be able to help out in this list as others already have.

MailScanner has so far taken care of stopping viruses at my servers even
before virus signature updates are ready by having a specific set of
filename/content rules in place (like "no executables", etc.), and filtering
"bad" html. Don't see the need to mark it as spam and screw up your stats,
though.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Peter Bonivart
Sent: Monday, April 12, 2004 11:35 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Viruses tagged as spam

Alex Neuman wrote:
> I seem to be getting a lot of viruses marked as high-scoring spam
> lately. Seems most of them come from machines infected with the latest 
> netsky/bagle iterations, but get marked by DCC/Pyzor/etc. - could I be 
> doing something wrong? Does anybody else experience the same 
> situation?

Yes, it has saved me more than once when virus signatures were not yet
updated since I don't deliver high-scoring spam. It's a good thing.

> Second, since most spams are short, and most spam is stopped by most
> postmasters by using RBL's (local, commercial or otherwise) at the 
> gateway MTA, could there be an option to virus scan first, and *then* 
> scan for spam? Spam scanning should be unnecessary if you *know* it's 
> a virus, right?

Please read the archives on this one. It has been discussed and explained by
Julian at least once a month for as long as I have subscribed to this list.
I admire his patience. ;-)

--
/Peter Bonivart

--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.29.7, SpamAssassin
2.63 + DCC 1.2.39, ClamAV 0.70RC + GMP 4.1.2, MailStats 0.25