Sanesecurity sigs

Mark Nienberg lists at
Mon Nov 10 19:40:26 GMT 2008

I've started testing a little bit with the Sanesecurity signatures for 

The download script I am using from the sanesecurity site actually 
downloads all 4 databases from sanesecurity plus 2 more from MSRBL.  
Although I haven't methodically parsed the mail logs to be sure, my 
first impression is that these hit on many messages, but only a subset 
of messages already identified as spam by spamassassin.  So far I 
haven't found a message that triggered sanesecurity but did not score at 
least my minimum of 5.5 on SA.

Also, since a hit classifies as virus, rather than a contribution to a 
SA score, a false positive means nondelivery of the message, which is 
more serious than a false positive on a single SA rule.

So I guess my questions are:

Does the use of all these extra databases really improve overall spam 
Would it make more sense to just use some of the databases?  Which ones?
Are there ever false positives?
How often should I run the update process?


Mark Nienberg

More information about the MailScanner mailing list