Sanesecurity sigs

[Julian Field]

Mark Nienberg wrote:
> I've started testing a little bit with the Sanesecurity signatures for 
> clamav.
>
> The download script I am using from the sanesecurity site actually 
> downloads all 4 databases from sanesecurity plus 2 more from MSRBL.  
> Although I haven't methodically parsed the mail logs to be sure, my 
> first impression is that these hit on many messages, but only a subset 
> of messages already identified as spam by spamassassin.  So far I 
> haven't found a message that triggered sanesecurity but did not score 
> at least my minimum of 5.5 on SA.
>
> Also, since a hit classifies as virus, rather than a contribution to a 
> SA score, a false positive means nondelivery of the message, which is 
> more serious than a false positive on a single SA rule.
>
> So I guess my questions are:
>
In my view:
> Does the use of all these extra databases really improve overall spam 
> detection?
Yes.
> Would it make more sense to just use some of the databases?  Which ones?
No, just use the lot.
> Are there ever false positives?
Never had any complaints of any. They really on scanning the whole 
message with ClamAV, so make sure you've got that option set in 
MailScanner.conf (look for "Whole Message").
> How often should I run the update process?
I run it every hour.

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.