Need help with rule set
Mark Sapiro
mark at msapiro.net
Wed Jul 29 20:38:19 IST 2009
Jules Field wrote:
>
>On 29/07/2009 19:59, Mark Nienberg wrote:
>> Jules Field wrote:
>>>
>>>
>>> On 29/07/2009 19:03, Mark Nienberg wrote:
>>>> Mark Sapiro wrote:
>>>>>
>>>>> The underlying issue is that with SaneSecurity ClamAV signatures, lots
>>>>> of spam gets processed as a virus and thus gets a virus notice rather
>>>>> than a spam or high spam action, and this postmaster address gets a
>>>>> lot of spam, the notices for which drown out the others.
>>>>>
>>>> I agree this is a nuisance. I deal with it by filtering mail with
>>>> subject "Virus Detected" into a separate folder at the local mail
>>>> delivery agent level. True, the folder will receive real virus
>>>> notifications as well as SaneSecurity detections, but that doesn't
>>>> bother me too much. A cronjob cleans items older than 10 days out
>>>> of the folder so it doesn't grow too large. If I haven't read it by
>>>> then it probably isn't important.
>>> Have you got any ideas for me to avoid this problem or work around
>>> it? I could look for sub-strings in the virus report and do something
>>> appropriate, but what?
>>>
>>> Jules
>>>
>> Maybe you could add a header to the postmaster message for each virus
>> reported (sometimes there are multiple). Then the user could have
>> more options for filtering. Example:
>>
>> X-Report: Clamd: message was infected: Sanesecurity.Junk.10079.UNOFFICIAL
>> X-Report: Clamd: msg-8399-50.jpg was infected:
>> Sanesecurity.SpamImg.353.UNOFFICIAL
>>
>> Since there are signatures available in addition to SaneSecurity that
>> use clamav to identify spam or phishing, I don't think you want to get
>> into the business of trying to separate true viruses reports from spam
>> reports. The headers would give each user the opportunity to do that.
>I was more thinking of trying to convert these virus reports into spam
>reports, so they got added to the Spam score for the message and the
>spam actions then applied, rather than treating them as a virus report
>at all.
Here's a thought. It's not well thought out and may have holes, but if
there were a new MailScanner setting that could be a ruleset along the
lines of:
Virus Report Action = virus
which would preserve the current behavior but allow a ruleset where I
could say
Virus: (something to match in the virus report) virus
Virus: (something else to match in the virus report) spam
Virus: (yet something else to match in the virus report) high-spam
What I really want out of this that's different from what I can do now
with Notices To rules is to be able to include the message and not
just the headers in the report.
Come to think of it, maybe just a "Notices Include Message Body"
setting analagous to the "Notices Include Full Headers" setting would
do it for me. Then I could use a ruleset with "Virus:" conditions to
determine whether to include the body.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the MailScanner
mailing list