Using ClamAV to find spam
dave.list at pixelhammer.com
Fri Aug 3 13:46:45 IST 2007
Andy Wright wrote:
> Scott Silva wrote:
>> Andy Wright spake the following on 8/2/2007 4:09 PM:
>>> Brent Addis wrote:
>>>> Try the clamav spamassassin plugin. If your spam scores high enough it
>>>> shouldn't be virus scanned and won't scew your stats.
>>>> has an example about halfway through the comments at the bottom.
>>>> Hi list,
>>>> I've enabled the "ClamAV Full Message Scan" option and installed the
>>>> sanesecurity sigs. Clam is nicely finding loads (and loads... and
>>>> loads...!) of spam, but of course is causing all these messages to be
>>>> tagged as Virused. This is making my MailWatch screen a sea of red and
>>>> skewing the stats such that I appear to be receiving loads of viruses
>>>> instead of spam.
>>>> Is it possible to get MailScanner to look at the report from ClamAV and
>>>> determine if the message is really spam rather than virused ?
>>> Hi Brent,
>>> thanks for the suggestion, although I'm reluctant to add yet more
>>> plugins - most of the spams are already being scored at 20+ (how high
>>> does this have to get before virus scanning is skipped?)
>>> I guess what I'm after is a way for MailScanner to handle things
>>> differently if the return from ClamAV is "Email.*, Html.*" etc Now that
>>> Clam seems to be more than just a *virus* finder might it make sense for
>>> MailScanner to look more closely at the returned result ? Maybe an
>>> excuse for Julian to up the options well beyond the 300 mark ?!
>> AFAIK all their signatures give sanesecurity in their responses. Maybe an
>> option to look for this and just give spam scores.
>> For me, I don't really care right now what stops them, as long as it
>> go to the users. Maybe later if I start reporting ratios to someone, I
> Most do, but there are a few along the lines of "Email.Phising.RB-1221"
> I do report results to clients so this would be a nice thing to be able
> to correct.
I think so as well, see my response to "Re: Request for comments 3 - Re:
MailScanner and password protected archives" I posted on the 25th of
last month. ClamAV does not always equal virus, SA does not always equal
spam. I think the gap will close even more as time goes on.
The more I think about it the more I like the idea of separating the
identification/tagging from the reporting/action of each message. I am
apparently alone in this.
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Maybe they forgot who made that choice possible.
More information about the MailScanner