Need help with rule set
Mark Nienberg
lists at tippingmar.com
Wed Jul 29 19:59:49 IST 2009
Jules Field wrote:
>
>
> On 29/07/2009 19:03, Mark Nienberg wrote:
>> Mark Sapiro wrote:
>>>
>>> The underlying issue is that with SaneSecurity ClamAV signatures, lots
>>> of spam gets processed as a virus and thus gets a virus notice rather
>>> than a spam or high spam action, and this postmaster address gets a
>>> lot of spam, the notices for which drown out the others.
>>>
>> I agree this is a nuisance. I deal with it by filtering mail with
>> subject "Virus Detected" into a separate folder at the local mail
>> delivery agent level. True, the folder will receive real virus
>> notifications as well as SaneSecurity detections, but that doesn't
>> bother me too much. A cronjob cleans items older than 10 days out of
>> the folder so it doesn't grow too large. If I haven't read it by
>> then it probably isn't important.
> Have you got any ideas for me to avoid this problem or work around it?
> I could look for sub-strings in the virus report and do something
> appropriate, but what?
>
> Jules
>
Maybe you could add a header to the postmaster message for each virus
reported (sometimes there are multiple). Then the user could have more
options for filtering. Example:
X-Report: Clamd: message was infected: Sanesecurity.Junk.10079.UNOFFICIAL
X-Report: Clamd: msg-8399-50.jpg was infected:
Sanesecurity.SpamImg.353.UNOFFICIAL
Since there are signatures available in addition to SaneSecurity that
use clamav to identify spam or phishing, I don't think you want to get
into the business of trying to separate true viruses reports from spam
reports. The headers would give each user the opportunity to do that.
Mark Nienberg
More information about the MailScanner
mailing list