Sanesecurity ClamAV sigs are back. Yay!

Alex Broens ms-list at alexb.ch
Fri Jan 23 22:04:27 GMT 2009


On 1/23/2009 10:35 PM, Julian Field wrote:
> 
> 
> On 23/1/09 15:38, Alex Broens wrote:
>> On 1/23/2009 4:22 PM, Jonas Akrouh Larsen wrote:
>>> I've not used sanesecurity so far, because it messes up statistics and
>>> generally make it less transparent why a mail was blocked.
>>>
>>> My problem is I don’t want my system to list a mail as a virus if its 
>>> "just"
>>> a spam or phishing attack.
>>>
>>> Am I alone with these concerns or have anybody found a "fix" for it?
>>>
>>> I am using newest mailscanner and mailwatch versions.
>>>
>>> I'd love to improve my protection with sanesecurity but not at the 
>>> cost of
>>> making my spam/virus stats useless.
>>
>> agreed, its very confusing to users why an image spam or a 419 
>> suddenly shows up as "infected"

> So don't deliver "infected" email at all, just drop it with the "Silent 
> Viruses = All-Viruses" setting. Then they never see it and don't worry 
> about it.

Dropping is not an approach everybody can use, some even per law.
If you use Mailwatch, like many do, they see an entry and that triggers 
questions. There's many other reasons not to drop msgs, no matter what, 
it all depends where you're sitting.

The SaneSecurity sigs have developed in a direction where they have very 
little to do with pure AV but act more like several well known digests 
designed for spam detection and imo, should be treated as such.

Alex

PS: I wouldn't underestimate the power of pretty graphs... :-)


More information about the MailScanner mailing list