Need help with rule set

Mark Sapiro mark at msapiro.net
Wed Jul 29 20:38:19 IST 2009


Jules Field wrote:
>
>On 29/07/2009 19:59, Mark Nienberg wrote:
>> Jules Field wrote:
>>>
>>>
>>> On 29/07/2009 19:03, Mark Nienberg wrote:
>>>> Mark Sapiro wrote:
>>>>>
>>>>> The underlying issue is that with SaneSecurity ClamAV signatures, lots
>>>>> of spam gets processed as a virus and thus gets a virus notice rather
>>>>> than a spam or high spam action, and this postmaster address gets a
>>>>> lot of spam, the notices for which drown out the others.
>>>>>
>>>> I agree this is a nuisance.  I deal with it by filtering mail with 
>>>> subject "Virus Detected" into a separate folder at the local mail 
>>>> delivery agent level.  True, the folder will receive real virus 
>>>> notifications as well as SaneSecurity detections, but that doesn't 
>>>> bother me too much.  A cronjob cleans items older than 10 days out 
>>>> of the folder so it doesn't grow too large.  If I haven't read it by 
>>>> then it probably isn't important.
>>> Have you got any ideas for me to avoid this problem or work around 
>>> it? I could look for sub-strings in the virus report and do something 
>>> appropriate, but what?
>>>
>>> Jules
>>>
>> Maybe you could add a header to the postmaster message for each virus 
>> reported (sometimes there are multiple).  Then the user could have 
>> more options for filtering. Example:
>>
>> X-Report: Clamd: message was infected: Sanesecurity.Junk.10079.UNOFFICIAL
>> X-Report: Clamd: msg-8399-50.jpg was infected: 
>> Sanesecurity.SpamImg.353.UNOFFICIAL
>>
>> Since there are signatures available in addition to SaneSecurity that 
>> use clamav to identify spam or phishing, I don't think you want to get 
>> into the business of trying to separate true viruses reports from spam 
>> reports.  The headers would give each user the opportunity to do that.
>I was more thinking of trying to convert these virus reports into spam 
>reports, so they got added to the Spam score for the message and the 
>spam actions then applied, rather than treating them as a virus report 
>at all.


Here's a thought. It's not well thought out and may have holes, but if
there were a new MailScanner setting that could be a ruleset along the
lines of:

Virus Report Action = virus

which would preserve the current behavior but allow a ruleset where I
could say

Virus: (something to match in the virus report) virus
Virus: (something else to match in the virus report) spam
Virus: (yet something else to match in the virus report) high-spam

What I really want out of this that's different from what I can do now
with Notices To rules is to be able to include the message and not
just the headers in the report.

Come to think of it, maybe just a "Notices Include Message Body"
setting analagous to the "Notices Include Full Headers" setting would
do it for me. Then I could use a ruleset with "Virus:" conditions to
determine whether to include the body.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan



More information about the MailScanner mailing list