Need help with rule set

[Jules Field]

On 29/07/2009 20:38, Mark Sapiro wrote:
> Jules Field wrote:
>    
>> On 29/07/2009 19:59, Mark Nienberg wrote:
>>      
>>> Jules Field wrote:
>>>        
>>>>
>>>> On 29/07/2009 19:03, Mark Nienberg wrote:
>>>>          
>>>>> Mark Sapiro wrote:
>>>>>            
>>>>>> The underlying issue is that with SaneSecurity ClamAV signatures, lots
>>>>>> of spam gets processed as a virus and thus gets a virus notice rather
>>>>>> than a spam or high spam action, and this postmaster address gets a
>>>>>> lot of spam, the notices for which drown out the others.
>>>>>>
>>>>>>              
>>>>> I agree this is a nuisance.  I deal with it by filtering mail with
>>>>> subject "Virus Detected" into a separate folder at the local mail
>>>>> delivery agent level.  True, the folder will receive real virus
>>>>> notifications as well as SaneSecurity detections, but that doesn't
>>>>> bother me too much.  A cronjob cleans items older than 10 days out
>>>>> of the folder so it doesn't grow too large.  If I haven't read it by
>>>>> then it probably isn't important.
>>>>>            
>>>> Have you got any ideas for me to avoid this problem or work around
>>>> it? I could look for sub-strings in the virus report and do something
>>>> appropriate, but what?
>>>>
>>>> Jules
>>>>
>>>>          
>>> Maybe you could add a header to the postmaster message for each virus
>>> reported (sometimes there are multiple).  Then the user could have
>>> more options for filtering. Example:
>>>
>>> X-Report: Clamd: message was infected: Sanesecurity.Junk.10079.UNOFFICIAL
>>> X-Report: Clamd: msg-8399-50.jpg was infected:
>>> Sanesecurity.SpamImg.353.UNOFFICIAL
>>>
>>> Since there are signatures available in addition to SaneSecurity that
>>> use clamav to identify spam or phishing, I don't think you want to get
>>> into the business of trying to separate true viruses reports from spam
>>> reports.  The headers would give each user the opportunity to do that.
>>>        
>> I was more thinking of trying to convert these virus reports into spam
>> reports, so they got added to the Spam score for the message and the
>> spam actions then applied, rather than treating them as a virus report
>> at all.
>>      
>
> Here's a thought. It's not well thought out and may have holes, but if
> there were a new MailScanner setting that could be a ruleset along the
> lines of:
>
> Virus Report Action = virus
>
> which would preserve the current behavior but allow a ruleset where I
> could say
>
> Virus: (something to match in the virus report) virus
> Virus: (something else to match in the virus report) spam
> Virus: (yet something else to match in the virus report) high-spam
>
> What I really want out of this that's different from what I can do now
> with Notices To rules is to be able to include the message and not
> just the headers in the report.
>
> Come to think of it, maybe just a "Notices Include Message Body"
>    
Now that sounds a possibility. If I include it as an RFC-822 attachment 
(similar to the "attachment" Spam Action), then it would be harmless too.

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.