Sanesecurity sigs
Mark Nienberg
lists at tippingmar.com
Mon Nov 10 19:40:26 GMT 2008
I've started testing a little bit with the Sanesecurity signatures for
clamav.
The download script I am using from the sanesecurity site actually
downloads all 4 databases from sanesecurity plus 2 more from MSRBL.
Although I haven't methodically parsed the mail logs to be sure, my
first impression is that these hit on many messages, but only a subset
of messages already identified as spam by spamassassin. So far I
haven't found a message that triggered sanesecurity but did not score at
least my minimum of 5.5 on SA.
Also, since a hit classifies as virus, rather than a contribution to a
SA score, a false positive means nondelivery of the message, which is
more serious than a false positive on a single SA rule.
So I guess my questions are:
Does the use of all these extra databases really improve overall spam
detection?
Would it make more sense to just use some of the databases? Which ones?
Are there ever false positives?
How often should I run the update process?
Thanks,
Mark Nienberg
More information about the MailScanner
mailing list