Using ClamAV to find spam

DAve dave.list at pixelhammer.com
Fri Aug 3 13:46:45 IST 2007 

Andy Wright wrote:
> Scott Silva wrote:
>> Andy Wright spake the following on 8/2/2007 4:09 PM:
>>  
>>> Brent Addis wrote:
>>>    
>>>> Try the clamav spamassassin plugin. If your spam scores high enough it
>>>> shouldn't be virus scanned and won't scew your stats.
>>>>  
>>>> http://www.nabble.com/My-bash-script-to-upload-PDFinfo-daily,-safely-t4115144.html 
>>>>
>>>> has an example about halfway through the comments at the bottom.

>>>>
>>>> Hi list,
>>>>
>>>> I've enabled the "ClamAV Full Message Scan" option and installed the
>>>> sanesecurity sigs. Clam is nicely finding loads (and loads... and
>>>> loads...!) of spam, but of course is causing all these messages to be
>>>> tagged as Virused. This is  making my MailWatch screen a sea of red and
>>>> skewing the stats such that I appear to be receiving loads of viruses
>>>> instead of spam.
>>>>
>>>> Is it possible to get MailScanner to look at the report from ClamAV and
>>>> determine if the message is really spam rather than virused ?

>>> Hi Brent,
>>>
>>> thanks for the suggestion, although I'm reluctant to add yet more
>>> plugins - most of the spams are already being scored at 20+  (how high
>>> does this have to get before virus scanning is skipped?)
>>>
>>> I guess what I'm after is a way for MailScanner to handle things
>>> differently if the return from ClamAV is "Email.*, Html.*" etc  Now that
>>> Clam seems to be more than just a *virus* finder might it make sense for
>>> MailScanner to look more closely at the returned result ?  Maybe an
>>> excuse for Julian to up the options well beyond the 300 mark ?!
>>>
>>> Andy.
>>>     
>> AFAIK all their signatures give sanesecurity in their responses. Maybe an
>> option to look for this and just give spam scores.
>> For me, I don't really care right now what stops them, as long as it 
>> doesn't
>> go to the users. Maybe later if I start reporting ratios to someone, I 
>> might.
>>
>>   
> Most do, but there are a few along the lines of "Email.Phising.RB-1221"
> 
> I do report results to clients so this would be a nice thing to be able 
> to correct.
> 

I think so as well, see my response to "Re: Request for comments 3 - Re: 
MailScanner and password protected archives" I posted on the 25th of 
last month. ClamAV does not always equal virus, SA does not always equal 
spam. I think the gap will close even more as time goes on.

The more I think about it the more I like the idea of separating the 
identification/tagging from the reporting/action of each message. I am 
apparently alone in this.

DAve


-- 
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?

Maybe they forgot who made that choice possible.

More information about the MailScanner mailing list