How to quarantine only Phishing stuff from Clam?

Jeff A. Earickson jaearick at COLBY.EDU
Thu Mar 10 15:03:20 GMT 2005


My daily report of who is sending viruses from our own domain has
been showing Phishing stuff caught by ClamAV, coming from my own
webmail server.

A sample of what gets emailed to me via "Notices to", and then boiled
down by a perl script:

j29LMw3X004268: (username)
ClamAV Module: msg-21083-102.txt was infected: HTML.Phishing.Bank-111

I want to investigate, ie quarantine the offending messages.  But I
don't want to quarantine tons of crap.  I have

Quarantine Infections = yes
Quarantine Silent Viruses = no

and I want to set up a ruleset specifying silent viruses.  Would this
be right?

%localrules-dir% = /etc/MailScanner/rules
Silent Viruses = %localrules-dir%/silent-viruses.rules

where the silent-viruses.rules looks like:

Virus:  All-Viruses             yes
Virus:  HTML-IFrame             yes
Virus:  Phishing.Bank   no

Do I need to specify a default here?

Jeff Earickson
Colby College

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ ( and
the archives (

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list