Using ClamAV to find spam

[DAve]

Julian Field wrote:

>>>> AFAIK all their signatures give sanesecurity in their responses. 
>>>> Maybe an
>>>> option to look for this and just give spam scores.
>>>> For me, I don't really care right now what stops them, as long as it 
>>>> doesn't
>>>> go to the users. Maybe later if I start reporting ratios to someone, 
>>>> I might.
>>>>
>>>>   
>>> Most do, but there are a few along the lines of "Email.Phising.RB-1221"
>>>
>>> I do report results to clients so this would be a nice thing to be 
>>> able to correct.
>>>
>>
>> I think so as well, see my response to "Re: Request for comments 3 - 
>> Re: MailScanner and password protected archives" I posted on the 25th 
>> of last month. ClamAV does not always equal virus, SA does not always 
>> equal spam. I think the gap will close even more as time goes on.
>>
>> The more I think about it the more I like the idea of separating the 
>> identification/tagging from the reporting/action of each message. I am 
>> apparently alone in this.
> What do you have in mind?
> 
> Jules
> 

Well I hesitate to speak up. I prefer to offer solutions before I whine 
;^) Here is what I posted earlier,

"I see a trend here, maybe it is just me. We (the MS community) have SA 
rules that catch viruses, we have Clam signatures that catch spam, we 
have MCP that catches stuff nobody wants to 'see'.

It looks like people want a way to decide which messages go to which 
quarantine based on the rule that was triggered, and not the tool that 
was used. Some messages caught by Clam should go into the spam 
quarantine, some messages caught by SA should go to the virus quarantine.

Possibly an override map that says "any rule matching this regex is 
actually treated as spam, any rule matching this regex is actually a 
virus". This would remove the need for special flags and custom 
functions. Create only two quarantines, one that is considered safe for 
release/viewing, one that is not. Then third party tools such as 
MailWatch could allow a user access to any message stored in quarantine 
'safe', and no access to any message in quarantine 'unsafe'. Regardless 
of what tool/rule/function put them there."

So I think something along the line of an override map would solve the 
problem. Think of it like whitelists and blacklists. A whitelisted 
address causes a message to be treated like it is ham, a blacklisted 
address causes a message to be treated like it is spam. This is 
regardless of the actual scoring.

Would it be possible to provide a spamlist/viruslist functionality much 
like whitelist/blacklist? A message processes normally and before the 
decision to quarantine is made, the spamlist/viruslist rules are checked 
and the decision of how to handle the message can then be modified based 
on the rules.

message is scanned
message found to be infected
- spamlist/viruslist consulted
- virus tag found in spamlist/viruslist, message action is 'spam'
- message tagged as 'spam'
- spam action is 'store'
- message stored in spam quarantine

message is scanned
message found to be spam
- spamlist/viruslist consulted
- spam rule found in spamlist/viruslist, message action is 'virus'
- message tagged as 'infected'
- infected action is 'store'
- message stored in virus quarantine

Do I make sense?

DAve

-- 
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?

Maybe they forgot who made that choice possible.