New beta release 4.78.3 -- "spam-viruses"

--[ UxBoD ]-- uxbod at splatnix.net
Sat Aug 1 08:23:24 IST 2009 

----- "Julian Field" <MailScanner at ecs.soton.ac.uk> wrote:

> I have just released a new beta, the first in quite a while.
> 
> This has one major re-arrangement done to it, in that the virus
> scanning 
> is now done *before* the spam checking, instead of after it as it has
> 
> always been in the past. This results in you virus-scanning all the
> spam 
> you are about to delete, but for virtually all virus scanners the cost
> 
> of scanning a few extra files is very minimal compared to the cost of
> 
> running SpamAssassin on them anyway. So it won't make much difference
> to 
> the speed at all. And you have the advantage that you won't be 
> spam-scanning viruses any more.
> 
> The need for this is because...
> 
> I have introduced a solution to the issue of what I am calling 
> "spam-viruses" which are messages detected as being spam by your
> *virus* 
> scanner. At least ClamAV and F-Prot can do this now. Automatically 
> deleting mail which a third-party ClamAV signature database thinks is
> 
> probably spam is not a very good idea, as there are false alarms which
> 
> have bitten most of us in the past.
> 
> So what you want is a way of assigning a spam score to different 
> "spam-viruses" so you can use the signature databases to varying
> effect, 
> depending on what you think of their reliability. Some of the ClamAV 
> databases have far more false alarms (false positives) than others, as
> 
> documented here:
>          http://www.sanesecurity.net/databases.htm
> 
> So now a list of all the "spam-viruses" found in a message will be put
> 
> in a new message header before the message is passed to SpamAssassin,
> so 
> you can do everything from simply assigning a score if the header
> exists 
> at all, to assigning different scores to different spam-viruses as you
> 
> like. You can make it as simple or as complex as you choose. I have 
> given you a sample rule to start from in spam.assassin.prefs.conf.
> 
> So you need to do 2 other things:
> 1. Set the name of the header used for this: see the "Spam-Virus
> Header" 
> setting in MailScanner.conf.
> 2. Define what virus names are actually spam-viruses. See the "Virus 
> Names Which Are Spam" setting in MailScanner.conf.
> 
> The second of those is given very simply. No regular expressions or 
> anything complicated like that, sorry.
> You give a space-separated list of strings which are the names of the
> 
> spam-viruses.
> You can use the "*" wildcard character to mean "any number of zero or
> 
> more characters", just like you do in filenames. You can use several
> "*" 
> wildcards in each string, of course.
> Other than that the string will be matched against the whole virus
> name, 
> with a case sensitive match.
> If you want to match just a sub-string of the virus name, put a "*" at
> 
> the start and end of the string, such as in "*UNOFFICIAL*" for
> example.
> Two simple examples are "HTML/*" and "Sane*UNOFFICIAL" which are 
> hopefully both self-explanatory.
> 
> For more information about these 2 settings, see the MailScanner.conf
> file.
> 
> I think this keeps the configuration nice and simple for most people,
> 
> but allows the 0.1% of wizards to build really complex setups.
> 
> If you strongly disagree with the way I have done it, please do let me
> 
> know, this is only a beta so I can easily change it at this point 
> without upsetting anyone. :-)
> 
> Hopefully you will find this a useful new feature, and that the cost
> of 
> the code re-arrangement is not too high.
> 
> Have a good weekend, and please let me know if you have any "issues" 
> with any of it!
> 
> Jules
> 
> -- 
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> 
> Need help customising MailScanner?
> Contact me!
> Need help fixing or optimising your systems?
> Contact me!
> Need help getting you started solving new requirements from your
> boss?
> Contact me!
> 
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> Follow me at twitter.com/JulesFM and twitter.com/MailScanner
> 

I am sure the 0.1% of wizards will be hitting Amazon and sending something your way Jules ... Great work this is exactly what I needed :) Time to build up the new server and get installing :D

Best Regards,

-- 
SplatNIX IT Services :: Innovation through collaboration

More information about the MailScanner mailing list