Using ClamAV to find spam

Julian Field MailScanner at ecs.soton.ac.uk
Fri Aug 3 14:01:10 IST 2007


DAve wrote:
> Andy Wright wrote:
>> Scott Silva wrote:
>>> Andy Wright spake the following on 8/2/2007 4:09 PM:
>>>  
>>>> Brent Addis wrote:
>>>>   
>>>>> Try the clamav spamassassin plugin. If your spam scores high 
>>>>> enough it
>>>>> shouldn't be virus scanned and won't scew your stats.
>>>>>  
>>>>> http://www.nabble.com/My-bash-script-to-upload-PDFinfo-daily,-safely-t4115144.html 
>>>>>
>>>>> has an example about halfway through the comments at the bottom.
>
>>>>>
>>>>> Hi list,
>>>>>
>>>>> I've enabled the "ClamAV Full Message Scan" option and installed the
>>>>> sanesecurity sigs. Clam is nicely finding loads (and loads... and
>>>>> loads...!) of spam, but of course is causing all these messages to be
>>>>> tagged as Virused. This is  making my MailWatch screen a sea of 
>>>>> red and
>>>>> skewing the stats such that I appear to be receiving loads of viruses
>>>>> instead of spam.
>>>>>
>>>>> Is it possible to get MailScanner to look at the report from 
>>>>> ClamAV and
>>>>> determine if the message is really spam rather than virused ?
>
>>>> Hi Brent,
>>>>
>>>> thanks for the suggestion, although I'm reluctant to add yet more
>>>> plugins - most of the spams are already being scored at 20+  (how high
>>>> does this have to get before virus scanning is skipped?)
>>>>
>>>> I guess what I'm after is a way for MailScanner to handle things
>>>> differently if the return from ClamAV is "Email.*, Html.*" etc  Now 
>>>> that
>>>> Clam seems to be more than just a *virus* finder might it make 
>>>> sense for
>>>> MailScanner to look more closely at the returned result ?  Maybe an
>>>> excuse for Julian to up the options well beyond the 300 mark ?!
>>>>
>>>> Andy.
>>>>     
>>> AFAIK all their signatures give sanesecurity in their responses. 
>>> Maybe an
>>> option to look for this and just give spam scores.
>>> For me, I don't really care right now what stops them, as long as it 
>>> doesn't
>>> go to the users. Maybe later if I start reporting ratios to someone, 
>>> I might.
>>>
>>>   
>> Most do, but there are a few along the lines of "Email.Phising.RB-1221"
>>
>> I do report results to clients so this would be a nice thing to be 
>> able to correct.
>>
>
> I think so as well, see my response to "Re: Request for comments 3 - 
> Re: MailScanner and password protected archives" I posted on the 25th 
> of last month. ClamAV does not always equal virus, SA does not always 
> equal spam. I think the gap will close even more as time goes on.
>
> The more I think about it the more I like the idea of separating the 
> identification/tagging from the reporting/action of each message. I am 
> apparently alone in this.
What do you have in mind?

Jules

-- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk



More information about the MailScanner mailing list