Need help with rule set

Mark Nienberg lists at
Wed Jul 29 19:59:49 IST 2009

Jules Field wrote:
> On 29/07/2009 19:03, Mark Nienberg wrote:
>> Mark Sapiro wrote:
>>> The underlying issue is that with SaneSecurity ClamAV signatures, lots
>>> of spam gets processed as a virus and thus gets a virus notice rather
>>> than a spam or high spam action, and this postmaster address gets a
>>> lot of spam, the notices for which drown out the others.
>> I agree this is a nuisance.  I deal with it by filtering mail with 
>> subject "Virus Detected" into a separate folder at the local mail 
>> delivery agent level.  True, the folder will receive real virus 
>> notifications as well as SaneSecurity detections, but that doesn't 
>> bother me too much.  A cronjob cleans items older than 10 days out of 
>> the folder so it doesn't grow too large.  If I haven't read it by 
>> then it probably isn't important.
> Have you got any ideas for me to avoid this problem or work around it? 
> I could look for sub-strings in the virus report and do something 
> appropriate, but what?
> Jules
Maybe you could add a header to the postmaster message for each virus 
reported (sometimes there are multiple).  Then the user could have more 
options for filtering. Example:

X-Report: Clamd: message was infected: Sanesecurity.Junk.10079.UNOFFICIAL
X-Report: Clamd: msg-8399-50.jpg was infected: 

Since there are signatures available in addition to SaneSecurity that 
use clamav to identify spam or phishing, I don't think you want to get 
into the business of trying to separate true viruses reports from spam 
reports.  The headers would give each user the opportunity to do that.

Mark Nienberg

More information about the MailScanner mailing list